php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #67716 Segfault in cdf.c
Submitted: 2014-07-30 11:59 UTC Modified: 2014-08-15 00:45 UTC
From: [email protected] Assigned: remi (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.4.31 OS: irrevelant
Private report: No CVE-ID: 2014-3587
View Developer Edit
 [2014-07-30 11:59 UTC] [email protected] 
Description:
------------
During test patch for CVE-2012-1571, we discover another possible segfault in cd.c

#0  0x00fcf2cd in cdf_read_property_info (sst=0xbfb7d9b0, h=0xbfb7ddfc,
offs=167896768, info=0xbfb7d9f8, count=0xbfb7d9f4, maxcount=0xbfb7d938)
    at /usr/src/debug/php-5.3.3/ext/fileinfo/libmagic/cdf.c:776
776                     inp[i].pi_type = CDF_TOLE4(q[0]);

(gdb) p sst->sst_tab
$1 = (void *) 0xa01e690
(gdb) p p
$2 = (const uint32_t *) 0xa01e6c8
(gdb) p e
$3 = (const uint32_t *) 0xa01e970
(gdb) p q
$4 = (const uint32_t *) 0x201e6bf

We have a 32bits pointer overflow.

Patches

file-upstream.patch (last revision 2014-07-30 12:00 UTC by [email protected])

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-30 12:00 UTC] [email protected] 
The following patch has been added/updated:

Patch Name: file-upstream.patch
Revision:   1406721644
URL:        https://bugs.php.net/patch-display.php?bug=67716&patch=file-upstream.patch&revision=1406721644
 [2014-07-30 12:01 UTC] [email protected]
-Assigned To: +Assigned To: remi
 [2014-07-30 12:01 UTC] [email protected] 
Waiting for file upstream feedback on this patch proposal.
 [2014-08-08 06:33 UTC] [email protected] 
Fixed applied in upstream (file)
https://github.com/file/file/commit/0641e56be1af003aa02c7c6b0184466540637233
 [2014-08-11 07:31 UTC] [email protected]
-CVE-ID: +CVE-ID: 2014-3587
 [2014-08-11 07:31 UTC] [email protected] 
Assigned to CVE-2014-3587
 [2014-08-15 00:11 UTC] [email protected] 
I think since the fix is public we can merge it too now.
 [2014-08-15 00:45 UTC] [email protected]
-Status: Assigned +Status: Closed
 [2014-08-15 00:45 UTC] [email protected] 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2014-08-15 04:58 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=35f32637b08ca6397829138ed45a0768f592f262
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-15 04:58 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49387b31cf8bda25a85b6932380001be03d6c8b0
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-19 08:34 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7ba1409a1aee5925180de546057ddd84ff267947
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-19 14:13 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cba5120407fbd0735b9aac5ede2fd02bdfab46a9
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-08-27 03:17 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=77b09bfc351d3908b0368beac8787123acacf46c
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:13 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7ba1409a1aee5925180de546057ddd84ff267947
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:13 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=35f32637b08ca6397829138ed45a0768f592f262
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:24 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7ba1409a1aee5925180de546057ddd84ff267947
Log: Fix bug #67716 - Segfault in cdf.c
 [2014-10-07 23:24 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=35f32637b08ca6397829138ed45a0768f592f262
Log: Fix bug #67716 - Segfault in cdf.c
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Thu Jan 01 08:00:01 2026 UTC