From 49387b31cf8bda25a85b6932380001be03d6c8b0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 14 Aug 2014 17:19:03 -0700 Subject: [PATCH 1/2] Fix bug #67716 - Segfault in cdf.c --- NEWS | 11 ++++++----- ext/fileinfo/libmagic/cdf.c | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index a34ea04b3ae..1339ba8b42c 100644 --- a/NEWS +++ b/NEWS @@ -6,11 +6,11 @@ PHP NEWS . Fixed bug #47358 (glob returns error, should be empty array()). (Pierre) - OpenSSL: - . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads) + . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads). (Daniel Lowrey). - Date: - . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + . Fixed bug #66091 (memory leaks in DateTime constructor). (Tjerk). ?? ??? 2014, PHP 5.4.32 @@ -21,11 +21,12 @@ PHP NEWS - Fileinfo: . Fixed bug #67705 (extensive backtracking in rule regular expression). - (CVE-2014-3538) (Remi) + (CVE-2014-3538). (Remi) + . Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi) - GD: . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). - (CVE-2014-2497) (Remi) + (CVE-2014-2497). (Remi) - Milter: . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) @@ -40,7 +41,7 @@ PHP NEWS with control-c). (Dmitry Saprykin, Johannes) - Sessions: - . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas). + . Fixed missing type checks in php_session_create_id. (Yussuf Khalil, Stas). - SPL: . Fixed bug #67539 (ArrayIterator use-after-free due to object change during diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 429f3b952f6..2c0a2d9dfcd 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, q = (const uint8_t *)(const void *) ((const char *)(const void *)p + ofs - 2 * sizeof(uint32_t)); - if (q > e) { + if (q < p || q > e) { DPRINTF(("Ran of the end %p > %p\n", q, e)); goto out; } From 35f32637b08ca6397829138ed45a0768f592f262 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 14 Aug 2014 17:19:03 -0700 Subject: [PATCH 2/2] Fix bug #67716 - Segfault in cdf.c --- NEWS | 9 +++++---- ext/fileinfo/libmagic/cdf.c | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index a34ea04b3ae..b771ce6fd55 100644 --- a/NEWS +++ b/NEWS @@ -6,11 +6,11 @@ PHP NEWS . Fixed bug #47358 (glob returns error, should be empty array()). (Pierre) - OpenSSL: - . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads) + . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads). (Daniel Lowrey). - Date: - . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + . Fixed bug #66091 (memory leaks in DateTime constructor). (Tjerk). ?? ??? 2014, PHP 5.4.32 @@ -22,10 +22,11 @@ PHP NEWS - Fileinfo: . Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538) (Remi) + . Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi) - GD: . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). - (CVE-2014-2497) (Remi) + (CVE-2014-2497). (Remi) - Milter: . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) @@ -40,7 +41,7 @@ PHP NEWS with control-c). (Dmitry Saprykin, Johannes) - Sessions: - . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas). + . Fixed missing type checks in php_session_create_id. (Yussuf Khalil, Stas). - SPL: . Fixed bug #67539 (ArrayIterator use-after-free due to object change during diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 429f3b952f6..2c0a2d9dfcd 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, q = (const uint8_t *)(const void *) ((const char *)(const void *)p + ofs - 2 * sizeof(uint32_t)); - if (q > e) { + if (q < p || q > e) { DPRINTF(("Ran of the end %p > %p\n", q, e)); goto out; }