Skip to content

Commit c48169c

Browse files
smalyshevJulien Pauli
smalyshev
authored and
Julien Pauli
committed
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4: Fix bug #67328 (fileinfo: numerous file_printf calls resulting in performance degradation) Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
1 parent 432c063 commit c48169c

File tree

1 file changed

+11
-13
lines changed
  • ext/fileinfo/libmagic

1 file changed

+11
-13
lines changed

ext/fileinfo/libmagic/cdf.c

+11-13
Original file line numberDiff line numberDiff line change
@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
823823
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
824824
if (inp[i].pi_type & CDF_VECTOR) {
825825
nelements = CDF_GETUINT32(q, 1);
826+
if (nelements == 0) {
827+
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
828+
goto out;
829+
}
826830
o = 2;
827831
} else {
828832
nelements = 1;
@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
897901
}
898902
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
899903
nelements));
900-
for (j = 0; j < nelements; j++, i++) {
904+
for (j = 0; j < nelements && i < sh.sh_properties;
905+
j++, i++)
906+
{
901907
uint32_t l = CDF_GETUINT32(q, o);
902908
inp[i].pi_str.s_len = l;
903909
inp[i].pi_str.s_buf = (const char *)
@@ -942,7 +948,7 @@ int
942948
cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
943949
cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
944950
{
945-
size_t i, maxcount;
951+
size_t maxcount;
946952
const cdf_summary_info_header_t *si =
947953
CAST(const cdf_summary_info_header_t *, sst->sst_tab);
948954
const cdf_section_declaration_t *sd =
@@ -957,21 +963,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
957963
ssi->si_os = CDF_TOLE2(si->si_os);
958964
ssi->si_class = si->si_class;
959965
cdf_swap_class(&ssi->si_class);
960-
ssi->si_count = CDF_TOLE2(si->si_count);
966+
ssi->si_count = CDF_TOLE4(si->si_count);
961967
*count = 0;
962968
maxcount = 0;
963969
*info = NULL;
964-
for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
965-
if (i >= CDF_LOOP_LIMIT) {
966-
DPRINTF(("Unpack summary info loop limit"));
967-
errno = EFTYPE;
970+
if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
971+
count, &maxcount) == -1)
968972
return -1;
969-
}
970-
if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
971-
info, count, &maxcount) == -1) {
972-
return -1;
973-
}
974-
}
975973
return 0;
976974
}
977975

0 commit comments

Comments
 (0)