mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Fixed Bug #66820 out-of-bounds memory access in fileinfo
Upstream fix:
447558595a
Notice, test changed, with upstream agreement:
-define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o)))
+define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
This commit is contained in:
parent
731013ee8e
commit
a33759fd27
@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
|
||||
private void cvt_32(union VALUETYPE *, const struct magic *);
|
||||
private void cvt_64(union VALUETYPE *, const struct magic *);
|
||||
|
||||
#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
|
||||
|
||||
/*
|
||||
* softmagic - lookup one file in parsed, in-memory copy of database
|
||||
* Passed the name and FILE * of one file to be typed.
|
||||
@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
}
|
||||
switch (cvt_flip(m->in_type, flip)) {
|
||||
case FILE_BYTE:
|
||||
if (nbytes < (offset + 1))
|
||||
if (OFFSET_OOB(nbytes, offset, 1))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_BESHORT:
|
||||
if (nbytes < (offset + 2))
|
||||
if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_LESHORT:
|
||||
if (nbytes < (offset + 2))
|
||||
if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_SHORT:
|
||||
if (nbytes < (offset + 2))
|
||||
if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
break;
|
||||
case FILE_BELONG:
|
||||
case FILE_BEID3:
|
||||
if (nbytes < (offset + 4))
|
||||
if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
break;
|
||||
case FILE_LELONG:
|
||||
case FILE_LEID3:
|
||||
if (nbytes < (offset + 4))
|
||||
if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_MELONG:
|
||||
if (nbytes < (offset + 4))
|
||||
if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_LONG:
|
||||
if (nbytes < (offset + 4))
|
||||
if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@ -1630,14 +1632,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
/* Verify we have enough data to match magic type */
|
||||
switch (m->type) {
|
||||
case FILE_BYTE:
|
||||
if (nbytes < (offset + 1)) /* should always be true */
|
||||
if (OFFSET_OOB(nbytes, offset, 1))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case FILE_SHORT:
|
||||
case FILE_BESHORT:
|
||||
case FILE_LESHORT:
|
||||
if (nbytes < (offset + 2))
|
||||
if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
@ -1656,33 +1658,33 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
case FILE_FLOAT:
|
||||
case FILE_BEFLOAT:
|
||||
case FILE_LEFLOAT:
|
||||
if (nbytes < (offset + 4))
|
||||
if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case FILE_DOUBLE:
|
||||
case FILE_BEDOUBLE:
|
||||
case FILE_LEDOUBLE:
|
||||
if (nbytes < (offset + 8))
|
||||
if (OFFSET_OOB(nbytes, offset, 8))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case FILE_STRING:
|
||||
case FILE_PSTRING:
|
||||
case FILE_SEARCH:
|
||||
if (nbytes < (offset + m->vallen))
|
||||
if (OFFSET_OOB(nbytes, offset, m->vallen))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case FILE_REGEX:
|
||||
if (nbytes < offset)
|
||||
if (OFFSET_OOB(nbytes, offset, 0))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case FILE_INDIRECT:
|
||||
if (offset == 0)
|
||||
return 0;
|
||||
if (nbytes < offset)
|
||||
if (OFFSET_OOB(nbytes, offset, 0))
|
||||
return 0;
|
||||
sbuf = ms->o.buf;
|
||||
soffset = ms->offset;
|
||||
@ -1716,7 +1718,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
|
||||
return rv;
|
||||
|
||||
case FILE_USE:
|
||||
if (nbytes < offset)
|
||||
if (OFFSET_OOB(nbytes, offset, 0))
|
||||
return 0;
|
||||
sbuf = m->value.s;
|
||||
if (*sbuf == '^') {
|
||||
|
Loading…
Reference in New Issue
Block a user