Patch for PHP 5.3.3 adapted from: From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 26 May 2014 17:42:18 -0700 Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 --- ext/fileinfo/libmagic/cdf.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 8dacd2f..4712e84 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -760,6 +760,10 @@ cdf_read_property_info(const cdf_stream_ inp[i].pi_type, (const char *)q - (const char *)p)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_TOLE4(q[1]); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; @@ -815,7 +819,8 @@ cdf_read_property_info(const cdf_stream_ inp = *info + nelem; } DPRINTF(("nelements = %d\n", nelements)); - for (j = 0; j < nelements; j++, i++) { + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) { uint32_t l = CDF_TOLE4(q[o]); inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = (const char *)(&q[o+1]); -- 1.9.2