Fixed bug #68735 fileinfo out-of-bounds memory access

NEWS

@@ -4,6 +4,13 @@ PHP                                                                        NEWS
 - CGI:
   . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
 
+- Fileinfo:
+  . Removed readelf.c and related code from libmagic sources
+    (Remi, Anatol)
+  . Fixed bug #68735 (fileinfo out-of-bounds memory access).
+    (Anatol)
+
+
 18 Dec 2014 PHP 5.4.36
 
 - Core:

ext/fileinfo/libmagic/softmagic.c

@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
 		size_t sz = file_pstring_length_size(m);
 		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
 		size_t len = file_pstring_get_length(m, ptr1);
-		if (len >= sizeof(p->s)) {
+		sz = sizeof(p->s) - sz; /* maximum length of string */
+		if (len >= sz) {
 			/*
 			 * The size of the pascal string length (sz)
 			 * is 1, 2, or 4. We need at least 1 byte for NUL
 			 * termination, but we've already truncated the
 			 * string by p->s, so we need to deduct sz.
+			 * Because we can use one of the bytes of the length
+			 * after we shifted as NUL termination.
 			 */ 
-			len = sizeof(p->s) - sz;
+			len = sz;
 		}
 		while (len--)
 			*ptr1++ = *ptr2++;

ext/fileinfo/tests/bug68735.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #68735 fileinfo out-of-bounds memory access
+--SKIPIF--
+<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
+--FILE--
+<?php
+	$test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg";
+	$f = new finfo;
+
+	var_dump($f->file($test_file));
+
+?>
+===DONE===
+--EXPECTF--
+string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S""
+===DONE===