Index: ext/fileinfo/libmagic/apprentice.c
===================================================================
RCS file: /repository/php-src/ext/fileinfo/libmagic/apprentice.c,v
retrieving revision 1.7
diff -u -p -r1.7 apprentice.c
--- ext/fileinfo/libmagic/apprentice.c	25 Jul 2008 08:18:34 -0000	1.7
+++ ext/fileinfo/libmagic/apprentice.c	10 Aug 2008 20:19:53 -0000
@@ -2062,16 +2062,19 @@ private const char ext[] = ".mgc";
 private void
 mkdbname(const char *fn, char **buf, int strip)
 {
+	char tmp_buf[MAXMAGICSIZE];
+
 	if (strip) {
 		const char *p;
 		if ((p = strrchr(fn, '/')) != NULL)
 			fn = ++p;
 	}
 
-	(void)asprintf(buf, "%s%s", fn, ext);
-	if (*buf && strlen(*buf) > MAXPATHLEN) {
-		free(*buf);
+	snprintf(tmp_buf, sizeof(tmp_buf), "%s%s", fn, ext);
+	if (tmp_buf[0] && strlen(tmp_buf) > MAXPATHLEN) {
 		*buf = NULL;
+	} else {
+		*buf = strdup(tmp_buf);
 	}
 }
 
Index: ext/fileinfo/libmagic/file.h
===================================================================
RCS file: /repository/php-src/ext/fileinfo/libmagic/file.h,v
retrieving revision 1.1
diff -u -p -r1.1 file.h
--- ext/fileinfo/libmagic/file.h	11 Jul 2008 14:13:50 -0000	1.1
+++ ext/fileinfo/libmagic/file.h	10 Aug 2008 20:19:53 -0000
@@ -366,6 +366,8 @@ extern char *sys_errlist[];
 #define strtoul(a, b, c)	strtol(a, b, c)
 #endif
 
+#define MAXMAGICSIZE 1024
+
 #ifndef HAVE_VASPRINTF
 int vasprintf(char **ptr, const char *format_string, va_list vargs);
 #endif
Index: ext/fileinfo/libmagic/funcs.c
===================================================================
RCS file: /repository/php-src/ext/fileinfo/libmagic/funcs.c,v
retrieving revision 1.3.2.1
diff -u -p -r1.3.2.1 funcs.c
--- ext/fileinfo/libmagic/funcs.c	10 Aug 2008 19:48:54 -0000	1.3.2.1
+++ ext/fileinfo/libmagic/funcs.c	10 Aug 2008 20:19:53 -0000
@@ -54,26 +54,26 @@ file_printf(struct magic_set *ms, const 
 	va_list ap;
 	size_t size;
 	int len;
-	char *buf, *newstr;
+	char buf[MAXMAGICSIZE], newstr[MAXMAGICSIZE];
 
 	va_start(ap, fmt);
-	len = vasprintf(&buf, fmt, ap);
+	len = vsnprintf(buf, sizeof(buf), fmt, ap);
 	if (len < 0)
 		goto out;
 	va_end(ap);
 
 	if (ms->o.buf != NULL) {
-		len = asprintf(&newstr, "%s%s", ms->o.buf, buf);
-		free(buf);
+		len = snprintf(newstr, sizeof(newstr), "%s%s", ms->o.buf, buf);
 		if (len < 0)
 			goto out;
 		free(ms->o.buf);
-		buf = newstr;
+		ms->o.buf = strdup(newstr);
+	} else {
+		ms->o.buf = strdup(buf);
 	}
-	ms->o.buf = buf;
 	return 0;
 out:
-	file_error(ms, errno, "vasprintf failed");
+	file_error(ms, errno, "vsnprintf failed");
 	return -1;
 }
 
Index: ext/fileinfo/libmagic/softmagic.c
===================================================================
RCS file: /repository/php-src/ext/fileinfo/libmagic/softmagic.c,v
retrieving revision 1.1
diff -u -p -r1.1 softmagic.c
--- ext/fileinfo/libmagic/softmagic.c	11 Jul 2008 14:13:50 -0000	1.1
+++ ext/fileinfo/libmagic/softmagic.c	10 Aug 2008 20:19:53 -0000
@@ -328,7 +328,7 @@ mprint(struct magic_set *ms, struct magi
 	float vf;
 	double vd;
 	int64_t t = 0;
- 	char *buf;
+ 	char buf[MAXMAGICSIZE];
 	union VALUETYPE *p = &ms->ms_value;
 
   	switch (m->type) {
@@ -338,7 +338,7 @@ mprint(struct magic_set *ms, struct magi
 		case -1:
 			return -1;
 		case 1:
-			if (asprintf(&buf, "%c", (unsigned char)v) < 0)
+			if (snprintf(buf, sizeof(buf), "%c", (unsigned char)v) < 0)
 				return -1;
 			if (file_printf(ms, MAGIC_DESC, buf) == -1)
 				return -1;
@@ -359,7 +359,7 @@ mprint(struct magic_set *ms, struct magi
 		case -1:
 			return -1;
 		case 1:
-			if (asprintf(&buf, "%hu", (unsigned short)v) < 0)
+			if (snprintf(buf, sizeof(buf), "%hu", (unsigned short)v) < 0)
 				return -1;
 			if (file_printf(ms, MAGIC_DESC, buf) == -1)
 				return -1;
@@ -381,7 +381,7 @@ mprint(struct magic_set *ms, struct magi
 		case -1:
 			return -1;
 		case 1:
-			if (asprintf(&buf, "%u", (uint32_t)v) < 0)
+			if (snprintf(buf, sizeof(buf), "%u", (uint32_t)v) < 0)
 				return -1;
 			if (file_printf(ms, MAGIC_DESC, buf) == -1)
 				return -1;
@@ -467,7 +467,7 @@ mprint(struct magic_set *ms, struct magi
 		case -1:
 			return -1;
 		case 1:
-			if (asprintf(&buf, "%g", vf) < 0)
+			if (snprintf(buf, sizeof(buf), "%g", vf) < 0)
 				return -1;
 			if (file_printf(ms, MAGIC_DESC, buf) == -1)
 				return -1;
@@ -488,7 +488,7 @@ mprint(struct magic_set *ms, struct magi
 		case -1:
 			return -1;
 		case 1:
-			if (asprintf(&buf, "%g", vd) < 0)
+			if (snprintf(buf, sizeof(buf), "%g", vd) < 0)
 				return -1;
 			if (file_printf(ms, MAGIC_DESC, buf) == -1)
 				return -1;