From 2c204a55af9b903b3db48dd5a75d492dbf1b387d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Mon, 31 Mar 2014 16:50:47 +0200
Subject: [PATCH] Fixed Bug #66987 Memory corruption in fileinfo ext
 (bigendian)

On little endian:
	map->p == php_magic_database
	map->magic[i] = pointer into the map

	map->p == NULL
	map->magic[i] = pointer to allocated memory

On big endian (ppc64, s390x, ...):
	map->p != php_magic_database and map->p != NULL
        map->magic[i] = pointer into a copy of the map

Trying to efree pointer in the later cause memory corruption
Thanks to dkatulek / Red Hat for the report.
---
 ext/fileinfo/libmagic/apprentice.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ext/fileinfo/libmagic/apprentice.c b/ext/fileinfo/libmagic/apprentice.c
index 11920e6..fd82564 100644
--- a/ext/fileinfo/libmagic/apprentice.c
+++ b/ext/fileinfo/libmagic/apprentice.c
@@ -493,12 +493,14 @@ apprentice_unmap(struct magic_map *map)
 	if (map == NULL)
 		return;
 	if (map->p != php_magic_database) {
-		int j;
-		for (j = 0; j < MAGIC_SETS; j++) {
-			if (map->magic[j])
-				efree(map->magic[j]);
-		}
-		if (map->p != NULL) {
+		if (map->p == NULL) {
+			int j;
+			for (j = 0; j < MAGIC_SETS; j++) {
+				if (map->magic[j]) {
+					efree(map->magic[j]);
+				}
+			}
+		} else {
 			efree(map->p);
 		}
 	}
-- 
2.1.0