mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5: updated NEWS Fixed bug #68735 fileinfo out-of-bounds memory access
This commit is contained in:
commit
28e44f9d44
@ -918,14 +918,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
|
||||
size_t sz = file_pstring_length_size(m);
|
||||
char *ptr1 = p->s, *ptr2 = ptr1 + sz;
|
||||
size_t len = file_pstring_get_length(m, ptr1);
|
||||
if (len >= sizeof(p->s)) {
|
||||
sz = sizeof(p->s) - sz; /* maximum length of string */
|
||||
if (len >= sz) {
|
||||
/*
|
||||
* The size of the pascal string length (sz)
|
||||
* is 1, 2, or 4. We need at least 1 byte for NUL
|
||||
* termination, but we've already truncated the
|
||||
* string by p->s, so we need to deduct sz.
|
||||
* Because we can use one of the bytes of the length
|
||||
* after we shifted as NUL termination.
|
||||
*/
|
||||
len = sizeof(p->s) - sz;
|
||||
len = sz;
|
||||
}
|
||||
while (len--)
|
||||
*ptr1++ = *ptr2++;
|
||||
|
BIN
ext/fileinfo/tests/bug68735.jpg
Normal file
BIN
ext/fileinfo/tests/bug68735.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 24 B |
16
ext/fileinfo/tests/bug68735.phpt
Normal file
16
ext/fileinfo/tests/bug68735.phpt
Normal file
@ -0,0 +1,16 @@
|
||||
--TEST--
|
||||
Bug #68735 fileinfo out-of-bounds memory access
|
||||
--SKIPIF--
|
||||
<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
|
||||
--FILE--
|
||||
<?php
|
||||
$test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg";
|
||||
$f = new finfo;
|
||||
|
||||
var_dump($f->file($test_file));
|
||||
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S""
|
||||
===DONE===
|
Loading…
Reference in New Issue
Block a user