mirror of
https://github.com/php/php-src.git
synced 2024-09-26 20:37:29 +00:00
Fix buffer overread in libmagic and sync a skipped change from 4.26
This commit is contained in:
parent
174ffefaf4
commit
ca77d8ae31
@ -151,6 +151,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const
|
||||
{
|
||||
int m;
|
||||
int mime = ms->flags & MAGIC_MIME;
|
||||
const unsigned char *ubuf = buf;
|
||||
|
||||
if (nb == 0) {
|
||||
if ((!mime || (mime & MAGIC_MIME_TYPE)) &&
|
||||
@ -182,15 +183,15 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const
|
||||
#if PHP_FILEINFO_UNCOMPRESS
|
||||
/* try compression stuff */
|
||||
if ((ms->flags & MAGIC_NO_CHECK_COMPRESS) != 0 ||
|
||||
(m = file_zmagic(ms, stream, inname, buf, nb)) == 0)
|
||||
(m = file_zmagic(ms, stream, inname, ubuf, nb)) == 0)
|
||||
#endif
|
||||
{
|
||||
/* Check if we have a tar file */
|
||||
if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m = file_is_tar(ms, buf, nb)) == 0) {
|
||||
if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m = file_is_tar(ms, ubuf, nb)) == 0) {
|
||||
/* try tests in /etc/magic (or surrogate magic file) */
|
||||
if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m = file_softmagic(ms, buf, nb, BINTEST)) == 0) {
|
||||
if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m = file_softmagic(ms, ubuf, nb, BINTEST)) == 0) {
|
||||
/* try known keywords, check whether it is ASCII */
|
||||
if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 || (m = file_ascmagic(ms, buf, nb)) == 0) {
|
||||
if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 || (m = file_ascmagic(ms, ubuf, nb)) == 0) {
|
||||
/* abandon hope, all ye who remain here */
|
||||
if ((!mime || (mime & MAGIC_MIME_TYPE)) && file_printf(ms, mime ? "application/octet-stream" : "data") == -1) {
|
||||
return -1;
|
||||
@ -210,7 +211,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const
|
||||
* information from the ELF headers that cannot easily
|
||||
* be extracted with rules in the magic file.
|
||||
*/
|
||||
(void)file_tryelf(ms, stream, buf, nb);
|
||||
(void)file_tryelf(ms, stream, ubuf, nb);
|
||||
}
|
||||
#endif
|
||||
return m;
|
||||
|
@ -185,8 +185,8 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
|
||||
if (file_check_mem(ms, ++cont_level) == -1)
|
||||
return -1;
|
||||
|
||||
while (magic[magindex+1].cont_level != 0 &&
|
||||
++magindex < nmagic) {
|
||||
while (magindex < nmagic - 1 && magic[magindex + 1].cont_level != 0) {
|
||||
magindex++;
|
||||
m = &magic[magindex];
|
||||
ms->line = m->lineno; /* for messages */
|
||||
|
||||
@ -783,6 +783,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
|
||||
const char *c;
|
||||
const char *last; /* end of search region */
|
||||
const char *buf; /* start of search region */
|
||||
const char *end;
|
||||
size_t lines;
|
||||
|
||||
if (s == NULL) {
|
||||
@ -791,10 +792,10 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
|
||||
return 0;
|
||||
}
|
||||
buf = (const char *)s + offset;
|
||||
last = (const char *)s + nbytes;
|
||||
end = last = (const char *)s + nbytes;
|
||||
/* mget() guarantees buf <= last */
|
||||
for (lines = linecnt, b = buf;
|
||||
lines && ((b = strchr(c = b, '\n')) || (b = strchr(c, '\r')));
|
||||
lines && ((b = memchr(c = b, '\n', end - b)) || (b = memchr(c, '\r', end - c)));
|
||||
lines--, b++) {
|
||||
last = b;
|
||||
if (b[0] == '\r' && b[1] == '\n')
|
||||
|
Loading…
Reference in New Issue
Block a user