upstream/oracle/userland-gate: components/php-5_3/php-sapi/patches/350_php

4534 058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	1	CVE-2014-9652
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	2	Community BUG:
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	3	https://bugs.php.net/bug.php?id=68735
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	4	Community CODE:
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	5	https://bugs.php.net/patch-display.php?bug=68735&patch=bug68735.patch&revision=1420309079
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	6	Below is the community patch.
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	7
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	8
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	9	diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	10	index 7e0c856..e7b7855 100644
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	11	--- a/ext/fileinfo/libmagic/softmagic.c
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	12	+++ b/ext/fileinfo/libmagic/softmagic.c
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	13	@@ -884,14 +884,17 @@ mconvert(struct magic_set ms, struct magic m, int flip)
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	14	size_t sz = file_pstring_length_size(m);
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	15	char ptr1 = p->s, ptr2 = ptr1 + sz;
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	16	size_t len = file_pstring_get_length(m, ptr1);
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	17	- if (len >= sizeof(p->s)) {
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	18	+ sz = sizeof(p->s) - sz; /* maximum length of string */
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	19	+ if (len >= sz) {
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	20	/*
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	21	* The size of the pascal string length (sz)
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	22	* is 1, 2, or 4. We need at least 1 byte for NUL
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	23	* termination, but we've already truncated the
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	24	* string by p->s, so we need to deduct sz.
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	25	+ * Because we can use one of the bytes of the length
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	26	+ * after we shifted as NUL termination.
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	27	*/
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	28	- len = sizeof(p->s) - sz;
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	29	+ len = sz;
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	30	}
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	31	while (len--)
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	32	ptr1++ = ptr2++;
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	33	--- /dev/null Sat Jan 3 19:01:50 2015
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	34	+++ a/ext/fileinfo/tests/bug68735.phpt Sat Jan 3 18:57:32 2015
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	35	@@ -0,0 +1,16 @@
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	36	+--TEST--
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	37	+Bug #68735 fileinfo out-of-bounds memory access
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	38	+--SKIPIF--
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	39	+<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	40	+--FILE--
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	41	+<?php
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	42	+ $test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg";
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	43	+ $f = new finfo;
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	44	+
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	45	+ var_dump($f->file($test_file));
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	46	+
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	47	+?>
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	48	+===DONE===
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	49	+--EXPECTF--
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	50	+string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S""
058d7630f55f 20192108 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	51	+===DONE===

author	Craig Mohrman <craig.mohrman@oracle.com>
	Tue, 23 Jun 2015 13:44:01 -0700
branch	s11u2-sru
changeset 4534	058d7630f55f
permissions	-rw-r--r--