upstream/oracle/userland-gate: components/php-5_3/php-sapi/patches/170_php

3086 649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	1	Fix for CVE-2014-2270
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	2	Patch:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	3	http://git.php.net/?p=php-src.git;a=patch;h=a33759fd27
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	4	Code:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	5	http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd27
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	6	This patch is for php 5.5 code but works well enough on php 5.3 code.
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	7	Verified by hand that it patches the correct code.
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	8	Slightly modified by hand to remove unnecessary parts that fail to patch.
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	9
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	10
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	11
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	12	From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	13	From: Remi Collet <[email protected]>
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	14	Date: Tue, 4 Mar 2014 20:32:52 +0100
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	15	Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	16
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	17	Upstream fix:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	18	https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	19
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	20	Notice, test changed, with upstream agreement:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	21	-define OFFSET_OOB(n, o, i) ((n) < (o) \|\| (i) >= ((n) - (o)))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	22	+define OFFSET_OOB(n, o, i) ((n) < (o) \|\| (i) > ((n) - (o)))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	23	---
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	24	ext/fileinfo/libmagic/softmagic.c \| 34 ++++++++++++++++++----------------
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	25	1 file changed, 18 insertions(+), 16 deletions(-)
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	26
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	27	diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	28	index 82a470a..21fea6b 100644
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	29	--- a/ext/fileinfo/libmagic/softmagic.c
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	30	+++ b/ext/fileinfo/libmagic/softmagic.c
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	31	@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE , const struct magic );
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	32	private void cvt_32(union VALUETYPE , const struct magic );
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	33	private void cvt_64(union VALUETYPE , const struct magic );
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	34
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	35	+#define OFFSET_OOB(n, o, i) ((n) < (o) \|\| (i) > ((n) - (o)))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	36	+
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	37	/*
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	38	* softmagic - lookup one file in parsed, in-memory copy of database
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	39	* Passed the name and FILE * of one file to be typed.
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	40	@@ -1171,7 +1173,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	41	}
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	42	switch (cvt_flip(m->in_type, flip)) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	43	case FILE_BYTE:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	44	- if (nbytes < (offset + 1))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	45	+ if (OFFSET_OOB(nbytes, offset, 1))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	46	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	47	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	48	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	49	@@ -1206,7 +1208,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	50	offset = ~offset;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	51	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	52	case FILE_BESHORT:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	53	- if (nbytes < (offset + 2))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	54	+ if (OFFSET_OOB(nbytes, offset, 2))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	55	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	56	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	57	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	58	@@ -1258,7 +1260,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	59	offset = ~offset;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	60	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	61	case FILE_LESHORT:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	62	- if (nbytes < (offset + 2))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	63	+ if (OFFSET_OOB(nbytes, offset, 2))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	64	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	65	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	66	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	67	@@ -1310,7 +1312,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	68	offset = ~offset;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	69	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	70	case FILE_SHORT:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	71	- if (nbytes < (offset + 2))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	72	+ if (OFFSET_OOB(nbytes, offset, 2))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	73	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	74	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	75	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	76	@@ -1347,7 +1349,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	77	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	78	case FILE_BELONG:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	79	case FILE_BEID3:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	80	- if (nbytes < (offset + 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	81	+ if (OFFSET_OOB(nbytes, offset, 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	82	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	83	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	84	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	85	@@ -1418,7 +1420,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	86	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	87	case FILE_LELONG:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	88	case FILE_LEID3:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	89	- if (nbytes < (offset + 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	90	+ if (OFFSET_OOB(nbytes, offset, 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	91	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	92	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	93	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	94	@@ -1488,7 +1490,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	95	offset = ~offset;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	96	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	97	case FILE_MELONG:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	98	- if (nbytes < (offset + 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	99	+ if (OFFSET_OOB(nbytes, offset, 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	100	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	101	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	102	switch (m->in_op & FILE_OPS_MASK) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	103	@@ -1558,7 +1560,7 @@ mget(struct magic_set ms, const unsigned char s, struct magic *m,
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	104	offset = ~offset;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	105	break;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	106	case FILE_LONG:
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	107	- if (nbytes < (offset + 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	108	+ if (OFFSET_OOB(nbytes, offset, 4))
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	109	return 0;
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	110	if (off) {
649b12aa87ce 17362112 problem in UTILITY/PHP Craig Mohrman <craig.mohrman@oracle.com> parents: diff changeset	111	switch (m->in_op & FILE_OPS_MASK) {

author	Craig Mohrman <craig.mohrman@oracle.com>
	Fri, 18 Apr 2014 11:03:12 -0700
branch	s11u1-sru
changeset 3086	649b12aa87ce
permissions	-rw-r--r--