Subject: Buffer over-write in finfo_open with malformed magic file
ID: CVE-2015-8865
Upstream-Author: Christos Zoulas <christos@zoulas.com>
Author: Christos Zoulas <christos@zoulas.com>
Date: Wed Jun 3 18:01:20 2015 +0000
Origin: FILE5_22-75-g6713ca4
Origin: https://bugs.php.net/bug.php?id=71527 (Original bug report)
Origin: http://bugs.gw.com/view.php?id=522 (bug report for file)

    [ Original description: ]
    PR/454: Fix memory corruption when the continuation level jumps by more than
    20 in a single step.

--- a/src/funcs.c
+++ b/src/funcs.c
@@ -401,7 +401,7 @@
 	size_t len;
 
 	if (level >= ms->c.len) {
-		len = (ms->c.len += 20) * sizeof(*ms->c.li);
+		len = (ms->c.len = 20 + level) * sizeof(*ms->c.li);
 		ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
 		    malloc(len) :
 		    realloc(ms->c.li, len));