php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-04 22:52:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS

Browse Source 
Upstream fix: f97486ef5d
This commit is contained in:
Stanislav Malyshev
2014-05-26 17:42:18 -07:00
parent f9357b44f3
commit 57225f09ed
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -30,6 +30,10 @@ PHP NEWS
. Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,
not only the subset). (Anatol)
- Fileinfo:
. Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS).
(CVE-2014-0238).
- FPM:
. Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
(Julio Pintos)

8
ext/fileinfo/libmagic/cdf.c
View File

@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
if (inp[i].pi_type & CDF_VECTOR) {
nelements = CDF_GETUINT32(q, 1);
if (nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
goto out;
}
o = 2;
} else {
nelements = 1;
@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
for (j = 0; j < nelements; j++, i++) {
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{
uint32_t l = CDF_GETUINT32(q, o);
inp[i].pi_str.s_len = l;
inp[i].pi_str.s_buf = (const char *)