php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #67716 Segfault in cdf.c
Submitted: 2014-07-30 11:59 UTC Modified: 2014-08-15 00:45 UTC
From: remi@php.net Assigned: remi (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.4.31 OS: irrevelant
Private report: No CVE-ID: 2014-3587
 [2014-07-30 11:59 UTC] remi@php.net
Description:
------------
During test patch for CVE-2012-1571, we discover another possible segfault in cd.c

#0  0x00fcf2cd in cdf_read_property_info (sst=0xbfb7d9b0, h=0xbfb7ddfc,
offs=167896768, info=0xbfb7d9f8, count=0xbfb7d9f4, maxcount=0xbfb7d938)
    at /usr/src/debug/php-5.3.3/ext/fileinfo/libmagic/cdf.c:776
776                     inp[i].pi_type = CDF_TOLE4(q[0]);

(gdb) p sst->sst_tab
$1 = (void *) 0xa01e690
(gdb) p p
$2 = (const uint32_t *) 0xa01e6c8
(gdb) p e
$3 = (const uint32_t *) 0xa01e970
(gdb) p q
$4 = (const uint32_t *) 0x201e6bf

We have a 32bits pointer overflow.



Patches

file-upstream.patch (last revision 2014-07-30 12:00 UTC by remi@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-30 12:00 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: file-upstream.patch
Revision:   1406721644
URL:        https://bugs.php.net/patch-display.php?bug=67716&patch=file-upstream.patch&revision=1406721644
 [2014-07-30 12:01 UTC] remi@php.net
-Assigned To: +Assigned To: remi
 [2014-07-30 12:01 UTC] remi@php.net
Waiting for file upstream feedback on this patch proposal.
 [2014-08-11 07:31 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2014-3587
 [2014-08-11 07:31 UTC] remi@php.net
Assigned to CVE-2014-3587
 [2014-08-15 00:11 UTC] stas@php.net
I think since the fix is public we can merge it too now.
 [2014-08-15 00:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-08-15 00:45 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-08-15 04:58 UTC] dmitry@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=35f32637b08ca6397829138ed45a0768f592f262
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-15 04:58 UTC] dmitry@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49387b31cf8bda25a85b6932380001be03d6c8b0
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-19 08:34 UTC] stas@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7ba1409a1aee5925180de546057ddd84ff267947
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-19 14:13 UTC] jpauli@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cba5120407fbd0735b9aac5ede2fd02bdfab46a9
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-27 03:17 UTC] tyrael@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=77b09bfc351d3908b0368beac8787123acacf46c
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7ba1409a1aee5925180de546057ddd84ff267947
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=35f32637b08ca6397829138ed45a0768f592f262
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7ba1409a1aee5925180de546057ddd84ff267947
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of rcollet@redhat.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=35f32637b08ca6397829138ed45a0768f592f262
Log: Fix bug #67716 - Segfault in cdf.c
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC