Overview

File php-5.4.20-CVE-2014-3478.patch of Package php5.openSUSE_13.1_Update

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fsoftmagic.c;h=01e49778bf42811dcb34d8b6e9597922df69520b;hp=21fea6b72647b71fba8b6f56d83f96f612406b2b;hb=e77659a8c87272e5061738a31430d2111482c426;hpb=949cab09f24abb80b8585af744bd964dc17f7401

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 21fea6b..01e4977 100644
--- ext/fileinfo/libmagic/softmagic.c
+++ ext/fileinfo/libmagic/softmagic.c
@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
 		return 1;
 	}
 	case FILE_PSTRING: {
-		char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
+		size_t sz = file_pstring_length_size(m);
+		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
 		size_t len = file_pstring_get_length(m, ptr1);
-		if (len >= sizeof(p->s))
-			len = sizeof(p->s) - 1;
+		if (len >= sizeof(p->s)) {
+			/*
+			 * The size of the pascal string length (sz)
+			 * is 1, 2, or 4. We need at least 1 byte for NUL
+			 * termination, but we've already truncated the
+			 * string by p->s, so we need to deduct sz.
+			 */ 
+			len = sizeof(p->s) - sz;
+		}
 		while (len--)
 			*ptr1++ = *ptr2++;
 		*ptr1 = '\0';
openSUSE Build Service is sponsored by
Places