clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-25 11:57:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS

Browse Source 
Upstream fix: f97486ef5d
This commit is contained in:
Stanislav Malyshev 2014-05-26 17:42:18 -07:00
parent 44be7b7f27
commit d77ea459bd
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ext/fileinfo/libmagic/cdf.c
View File

@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
if (inp[i].pi_type & CDF_VECTOR) {
nelements = CDF_GETUINT32(q, 1);
if (nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
goto out;
}
o = 2;
} else {
nelements = 1;
@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
for (j = 0; j < nelements; j++, i++) {
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{
uint32_t l = CDF_GETUINT32(q, o);
inp[i].pi_str.s_len = l;
inp[i].pi_str.s_buf = (const char *)