PHP :: Sec Bug #67716 :: Segfault in cdf.c

[2014-07-30 11:59 UTC] remi@php.net

Description:
------------
During test patch for CVE-2012-1571, we discover another possible segfault in cd.c

#0  0x00fcf2cd in cdf_read_property_info (sst=0xbfb7d9b0, h=0xbfb7ddfc,
offs=167896768, info=0xbfb7d9f8, count=0xbfb7d9f4, maxcount=0xbfb7d938)
    at /usr/src/debug/php-5.3.3/ext/fileinfo/libmagic/cdf.c:776
776                     inp[i].pi_type = CDF_TOLE4(q[0]);

(gdb) p sst->sst_tab
$1 = (void *) 0xa01e690
(gdb) p p
$2 = (const uint32_t *) 0xa01e6c8
(gdb) p e
$3 = (const uint32_t *) 0xa01e970
(gdb) p q
$4 = (const uint32_t *) 0x201e6bf

We have a 32bits pointer overflow.

[2014-07-30 12:01 UTC] remi@php.net

-Assigned To: +Assigned To: remi

[2014-07-30 12:01 UTC] remi@php.net

Waiting for file upstream feedback on this patch proposal.

[2014-08-11 07:31 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2014-3587

[2014-08-11 07:31 UTC] remi@php.net

Assigned to CVE-2014-3587

[2014-08-15 00:11 UTC] stas@php.net

I think since the fix is public we can merge it too now.

[2014-08-15 00:45 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2014-08-15 00:45 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.