Fix for CVE-2014-1943

Modified version of this patch:

http://git.php.net/?p=php-src.git;a=patch;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3

which is for php 5.4 code.

php 5.4 code is here:

http://git.php.net/?p=php-src.git;a=commit;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3

Got this verson from [email protected] who is a

PHP community member.

Comparing the 2 versions and this one looks believable.

php-5.3.28-CVE-2014-1943.diff

diff -Naurp php-5.3.28/ext/fileinfo/libmagic/ascmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c

--- php-5.3.28/ext/fileinfo/libmagic/ascmagic.c	2013-12-10 19:04:57.000000000 +0000

+++ php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c	2014-02-19 15:59:40.000000000 +0000

@@ -145,7 +145,7 @@ file_ascmagic_with_encoding(struct magic

 		    == NULL)

 			goto done;

 		if ((rv = file_softmagic(ms, utf8_buf,

-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)

+		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)

 			rv = -1;

 	}

diff -Naurp php-5.3.28/ext/fileinfo/libmagic/file.h php-5.3.28.oden/ext/fileinfo/libmagic/file.h

--- php-5.3.28/ext/fileinfo/libmagic/file.h	2013-12-10 19:04:57.000000000 +0000

+++ php-5.3.28.oden/ext/fileinfo/libmagic/file.h	2014-02-19 15:59:40.000000000 +0000

@@ -414,7 +414,7 @@ protected int file_encoding(struct magic

     unichar **, size_t *, const char **, const char **, const char **);

 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);

 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,

-    int, int);

+    size_t, int, int);

 protected struct mlist *file_apprentice(struct magic_set *, const char *, int);

 protected uint64_t file_signextend(struct magic_set *, struct magic *,

     uint64_t);

diff -Naurp php-5.3.28/ext/fileinfo/libmagic/funcs.c php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c

--- php-5.3.28/ext/fileinfo/libmagic/funcs.c	2013-12-10 19:04:57.000000000 +0000

+++ php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c	2014-02-19 15:59:40.000000000 +0000

@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st

 	/* try soft magic tests */

 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)

-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,

+		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,

 		    looks_text)) != 0) {

 			if ((ms->flags & MAGIC_DEBUG) != 0)

 				(void)fprintf(stderr, "softmagic %d\n", m);

diff -Naurp php-5.3.28/ext/fileinfo/libmagic/softmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c

--- php-5.3.28/ext/fileinfo/libmagic/softmagic.c	2013-12-10 19:04:57.000000000 +0000

+++ php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c	2014-02-19 15:59:40.000000000 +0000

@@ -48,9 +48,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1

 private int match(struct magic_set *, struct magic *, uint32_t,

-    const unsigned char *, size_t, int, int);

+    const unsigned char *, size_t, int, int, int);

 private int mget(struct magic_set *, const unsigned char *,

-    struct magic *, size_t, unsigned int, int);

+    struct magic *, size_t, unsigned int, int, int);

 private int magiccheck(struct magic_set *, struct magic *);

 private int32_t mprint(struct magic_set *, struct magic *);

 private int32_t moffset(struct magic_set *, struct magic *);

@@ -72,13 +72,13 @@ private void cvt_64(union VALUETYPE *, c

 /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */

 protected int

 file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,

-    int mode, int text)

+    size_t level, int mode, int text)

 {

 	struct mlist *ml;

 	int rv;

 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)

 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,

-		    text)) != 0)

+		    text, level)) != 0)

 			return rv;

 	return 0;

@@ -113,7 +113,8 @@ file_softmagic(struct magic_set *ms, con

  */

 private int

 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,

-    const unsigned char *s, size_t nbytes, int mode, int text)

+    const unsigned char *s, size_t nbytes, int mode, int text,

+    int recursion_level)

 {

 	uint32_t magindex = 0;

 	unsigned int cont_level = 0;

@@ -145,7 +146,7 @@ match(struct magic_set *ms, struct magic

 		ms->line = m->lineno;

 		/* if main entry matches, print it... */

-		switch (mget(ms, s, m, nbytes, cont_level, text)) {

+		switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {

 		case -1:

 			return -1;

 		case 0:

@@ -227,7 +228,7 @@ match(struct magic_set *ms, struct magic

 					continue;

 			}

 #endif

-			switch (mget(ms, s, m, nbytes, cont_level, text)) {

+			switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {

 			case -1:

 				return -1;

 			case 0:

@@ -997,12 +998,18 @@ mcopy(struct magic_set *ms, union VALUET

 private int

 mget(struct magic_set *ms, const unsigned char *s,

-    struct magic *m, size_t nbytes, unsigned int cont_level, int text)

+    struct magic *m, size_t nbytes, unsigned int cont_level, int text,

+    int recursion_level)

 {

 	uint32_t offset = ms->offset;

 	uint32_t count = m->str_range;

 	union VALUETYPE *p = &ms->ms_value;

+        if (recursion_level >= 20) {

+                file_error(ms, 0, "recursion nesting exceeded");

+                return -1;

+        }

+

 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)

 		return -1;

@@ -1550,13 +1557,15 @@ mget(struct magic_set *ms, const unsigne

 		break;

 	case FILE_INDIRECT:

+		if (offset == 0)

+			return 0;

 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&

 		    file_printf(ms, "%s", m->desc) == -1)

 			return -1;

 		if (nbytes < offset)

 			return 0;

 		return file_softmagic(ms, s + offset, nbytes - offset,

-		    BINTEST, text);

+		    recursion_level, BINTEST, text);

 	case FILE_DEFAULT:	/* nothing to check */

 	default:

diff -Naurp php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt

--- php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt	1970-01-01 00:00:00.000000000 +0000

+++ php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt	2014-02-19 16:00:20.000000000 +0000

@@ -0,0 +1,39 @@

+--TEST--

+Bug #66731: file: infinite recursion

+--SKIPIF--

+<?php

+if (!class_exists('finfo'))

+	die('skip no fileinfo extension');

+--FILE--

+<?php

+$fd = __DIR__.'/cve-2014-1943.data';

+$fm = __DIR__.'/cve-2014-1943.magic';

+

+$a = "\105\122\000\000\000\000\000";

+$b = str_repeat("\001", 250000);

+$m =  "0           byte        x\n".

+      ">(1.b)      indirect    x\n";

+

+file_put_contents($fd, $a);

+$fi = finfo_open(FILEINFO_NONE);

+var_dump(finfo_file($fi, $fd));

+finfo_close($fi);

+

+file_put_contents($fd, $b);

+file_put_contents($fm, $m);

+$fi = finfo_open(FILEINFO_NONE, $fm);

+var_dump(finfo_file($fi, $fd));

+finfo_close($fi);

+?>

+Done

+--CLEAN--

+<?php

+@unlink(__DIR__.'/cve-2014-1943.data');

+@unlink(__DIR__.'/cve-2014-1943.magic');

+?>

+--EXPECTF--

+string(%d) "%s"

+

+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d

+bool(false)

+Done