Upstream test patch dropped (binary patch not supported)

From ede59c8feb4b80e1b94e4abdaa0711051e2912ab Mon Sep 17 00:00:00 2001

From: Anatol Belski <ab@php.net>

Date: Sun, 4 Jan 2015 14:20:21 +0100

Subject: [PATCH] Fixed bug #68735 fileinfo out-of-bounds memory access

---

 NEWS                              |   7 +++++++

 ext/fileinfo/libmagic/softmagic.c |   7 +++++--

 ext/fileinfo/tests/bug68735.jpg   | Bin 0 -> 24 bytes

 ext/fileinfo/tests/bug68735.phpt  |  16 ++++++++++++++++

 4 files changed, 28 insertions(+), 2 deletions(-)

 create mode 100644 ext/fileinfo/tests/bug68735.jpg

 create mode 100644 ext/fileinfo/tests/bug68735.phpt

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c

index 7e0c856..e7b7855 100644

--- a/ext/fileinfo/libmagic/softmagic.c

+++ b/ext/fileinfo/libmagic/softmagic.c

@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)

 		size_t sz = file_pstring_length_size(m);

 		char *ptr1 = p->s, *ptr2 = ptr1 + sz;

 		size_t len = file_pstring_get_length(m, ptr1);

-		if (len >= sizeof(p->s)) {

+		sz = sizeof(p->s) - sz; /* maximum length of string */

+		if (len >= sz) {

 			/*

 			 * The size of the pascal string length (sz)

 			 * is 1, 2, or 4. We need at least 1 byte for NUL

 			 * termination, but we've already truncated the

 			 * string by p->s, so we need to deduct sz.

+			 * Because we can use one of the bytes of the length

+			 * after we shifted as NUL termination.

 			 */ 

-			len = sizeof(p->s) - sz;

+			len = sz;

 		}

 		while (len--)

 			*ptr1++ = *ptr2++;