author | Craig Mohrman <craig.mohrman@oracle.com> |
Wed, 09 Apr 2014 16:18:40 -0700 | |
branch | s11-update |
changeset 3067 | 61e6cd945591 |
permissions | -rw-r--r-- |
3067
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
1 |
Fix for CVE-2014-1943 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
2 |
Modified version of this patch: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
3 |
http://git.php.net/?p=php-src.git;a=patch;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
4 |
which is for php 5.4 code. |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
5 |
php 5.4 code is here: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
6 |
http://git.php.net/?p=php-src.git;a=commit;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
7 |
Got this verson from [email protected] who is a |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
8 |
PHP community member. |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
9 |
Comparing the 2 versions and this one looks believable. |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
10 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
11 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
12 |
php-5.3.28-CVE-2014-1943.diff |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
13 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
14 |
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/ascmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
15 |
--- php-5.3.28/ext/fileinfo/libmagic/ascmagic.c 2013-12-10 19:04:57.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
16 |
+++ php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c 2014-02-19 15:59:40.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
17 |
@@ -145,7 +145,7 @@ file_ascmagic_with_encoding(struct magic |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
18 |
== NULL) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
19 |
goto done; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
20 |
if ((rv = file_softmagic(ms, utf8_buf, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
21 |
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
22 |
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
23 |
rv = -1; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
24 |
} |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
25 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
26 |
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/file.h php-5.3.28.oden/ext/fileinfo/libmagic/file.h |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
27 |
--- php-5.3.28/ext/fileinfo/libmagic/file.h 2013-12-10 19:04:57.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
28 |
+++ php-5.3.28.oden/ext/fileinfo/libmagic/file.h 2014-02-19 15:59:40.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
29 |
@@ -414,7 +414,7 @@ protected int file_encoding(struct magic |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
30 |
unichar **, size_t *, const char **, const char **, const char **); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
31 |
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
32 |
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
33 |
- int, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
34 |
+ size_t, int, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
35 |
protected struct mlist *file_apprentice(struct magic_set *, const char *, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
36 |
protected uint64_t file_signextend(struct magic_set *, struct magic *, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
37 |
uint64_t); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
38 |
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/funcs.c php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
39 |
--- php-5.3.28/ext/fileinfo/libmagic/funcs.c 2013-12-10 19:04:57.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
40 |
+++ php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c 2014-02-19 15:59:40.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
41 |
@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
42 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
43 |
/* try soft magic tests */ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
44 |
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
45 |
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
46 |
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
47 |
looks_text)) != 0) { |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
48 |
if ((ms->flags & MAGIC_DEBUG) != 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
49 |
(void)fprintf(stderr, "softmagic %d\n", m); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
50 |
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/softmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
51 |
--- php-5.3.28/ext/fileinfo/libmagic/softmagic.c 2013-12-10 19:04:57.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
52 |
+++ php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c 2014-02-19 15:59:40.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
53 |
@@ -48,9 +48,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
54 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
55 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
56 |
private int match(struct magic_set *, struct magic *, uint32_t, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
57 |
- const unsigned char *, size_t, int, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
58 |
+ const unsigned char *, size_t, int, int, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
59 |
private int mget(struct magic_set *, const unsigned char *, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
60 |
- struct magic *, size_t, unsigned int, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
61 |
+ struct magic *, size_t, unsigned int, int, int); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
62 |
private int magiccheck(struct magic_set *, struct magic *); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
63 |
private int32_t mprint(struct magic_set *, struct magic *); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
64 |
private int32_t moffset(struct magic_set *, struct magic *); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
65 |
@@ -72,13 +72,13 @@ private void cvt_64(union VALUETYPE *, c |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
66 |
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
67 |
protected int |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
68 |
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
69 |
- int mode, int text) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
70 |
+ size_t level, int mode, int text) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
71 |
{ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
72 |
struct mlist *ml; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
73 |
int rv; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
74 |
for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
75 |
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
76 |
- text)) != 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
77 |
+ text, level)) != 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
78 |
return rv; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
79 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
80 |
return 0; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
81 |
@@ -113,7 +113,8 @@ file_softmagic(struct magic_set *ms, con |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
82 |
*/ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
83 |
private int |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
84 |
match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
85 |
- const unsigned char *s, size_t nbytes, int mode, int text) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
86 |
+ const unsigned char *s, size_t nbytes, int mode, int text, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
87 |
+ int recursion_level) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
88 |
{ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
89 |
uint32_t magindex = 0; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
90 |
unsigned int cont_level = 0; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
91 |
@@ -145,7 +146,7 @@ match(struct magic_set *ms, struct magic |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
92 |
ms->line = m->lineno; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
93 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
94 |
/* if main entry matches, print it... */ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
95 |
- switch (mget(ms, s, m, nbytes, cont_level, text)) { |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
96 |
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) { |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
97 |
case -1: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
98 |
return -1; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
99 |
case 0: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
100 |
@@ -227,7 +228,7 @@ match(struct magic_set *ms, struct magic |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
101 |
continue; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
102 |
} |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
103 |
#endif |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
104 |
- switch (mget(ms, s, m, nbytes, cont_level, text)) { |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
105 |
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) { |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
106 |
case -1: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
107 |
return -1; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
108 |
case 0: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
109 |
@@ -997,12 +998,18 @@ mcopy(struct magic_set *ms, union VALUET |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
110 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
111 |
private int |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
112 |
mget(struct magic_set *ms, const unsigned char *s, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
113 |
- struct magic *m, size_t nbytes, unsigned int cont_level, int text) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
114 |
+ struct magic *m, size_t nbytes, unsigned int cont_level, int text, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
115 |
+ int recursion_level) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
116 |
{ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
117 |
uint32_t offset = ms->offset; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
118 |
uint32_t count = m->str_range; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
119 |
union VALUETYPE *p = &ms->ms_value; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
120 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
121 |
+ if (recursion_level >= 20) { |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
122 |
+ file_error(ms, 0, "recursion nesting exceeded"); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
123 |
+ return -1; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
124 |
+ } |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
125 |
+ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
126 |
if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
127 |
return -1; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
128 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
129 |
@@ -1550,13 +1557,15 @@ mget(struct magic_set *ms, const unsigne |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
130 |
break; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
131 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
132 |
case FILE_INDIRECT: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
133 |
+ if (offset == 0) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
134 |
+ return 0; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
135 |
if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
136 |
file_printf(ms, "%s", m->desc) == -1) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
137 |
return -1; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
138 |
if (nbytes < offset) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
139 |
return 0; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
140 |
return file_softmagic(ms, s + offset, nbytes - offset, |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
141 |
- BINTEST, text); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
142 |
+ recursion_level, BINTEST, text); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
143 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
144 |
case FILE_DEFAULT: /* nothing to check */ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
145 |
default: |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
146 |
diff -Naurp php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
147 |
--- php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt 1970-01-01 00:00:00.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
148 |
+++ php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt 2014-02-19 16:00:20.000000000 +0000 |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
149 |
@@ -0,0 +1,39 @@ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
150 |
+--TEST-- |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
151 |
+Bug #66731: file: infinite recursion |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
152 |
+--SKIPIF-- |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
153 |
+<?php |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
154 |
+if (!class_exists('finfo')) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
155 |
+ die('skip no fileinfo extension'); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
156 |
+--FILE-- |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
157 |
+<?php |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
158 |
+$fd = __DIR__.'/cve-2014-1943.data'; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
159 |
+$fm = __DIR__.'/cve-2014-1943.magic'; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
160 |
+ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
161 |
+$a = "\105\122\000\000\000\000\000"; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
162 |
+$b = str_repeat("\001", 250000); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
163 |
+$m = "0 byte x\n". |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
164 |
+ ">(1.b) indirect x\n"; |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
165 |
+ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
166 |
+file_put_contents($fd, $a); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
167 |
+$fi = finfo_open(FILEINFO_NONE); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
168 |
+var_dump(finfo_file($fi, $fd)); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
169 |
+finfo_close($fi); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
170 |
+ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
171 |
+file_put_contents($fd, $b); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
172 |
+file_put_contents($fm, $m); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
173 |
+$fi = finfo_open(FILEINFO_NONE, $fm); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
174 |
+var_dump(finfo_file($fi, $fd)); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
175 |
+finfo_close($fi); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
176 |
+?> |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
177 |
+Done |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
178 |
+--CLEAN-- |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
179 |
+<?php |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
180 |
+@unlink(__DIR__.'/cve-2014-1943.data'); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
181 |
+@unlink(__DIR__.'/cve-2014-1943.magic'); |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
182 |
+?> |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
183 |
+--EXPECTF-- |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
184 |
+string(%d) "%s" |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
185 |
+ |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
186 |
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
187 |
+bool(false) |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
188 |
+Done |
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
189 |
|
61e6cd945591
17362112 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
190 |