|
1 Fix for CVE-2014-2270 |
|
2 Patch: |
|
3 http://git.php.net/?p=php-src.git;a=patch;h=a33759fd27 |
|
4 Code: |
|
5 http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd27 |
|
6 This patch is for php 5.5 code but works well enough on php 5.3 code. |
|
7 Verified by hand that it patches the correct code. |
|
8 Slightly modified by hand to remove unnecessary parts that fail to patch. |
|
9 |
|
10 |
|
11 |
|
12 From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001 |
|
13 From: Remi Collet <[email protected]> |
|
14 Date: Tue, 4 Mar 2014 20:32:52 +0100 |
|
15 Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo |
|
16 |
|
17 Upstream fix: |
|
18 https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801 |
|
19 |
|
20 Notice, test changed, with upstream agreement: |
|
21 -define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o))) |
|
22 +define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) |
|
23 --- |
|
24 ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++---------------- |
|
25 1 file changed, 18 insertions(+), 16 deletions(-) |
|
26 |
|
27 diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c |
|
28 index 82a470a..21fea6b 100644 |
|
29 --- a/ext/fileinfo/libmagic/softmagic.c |
|
30 +++ b/ext/fileinfo/libmagic/softmagic.c |
|
31 @@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *); |
|
32 private void cvt_32(union VALUETYPE *, const struct magic *); |
|
33 private void cvt_64(union VALUETYPE *, const struct magic *); |
|
34 |
|
35 +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) |
|
36 + |
|
37 /* |
|
38 * softmagic - lookup one file in parsed, in-memory copy of database |
|
39 * Passed the name and FILE * of one file to be typed. |
|
40 @@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
41 } |
|
42 switch (cvt_flip(m->in_type, flip)) { |
|
43 case FILE_BYTE: |
|
44 - if (nbytes < (offset + 1)) |
|
45 + if (OFFSET_OOB(nbytes, offset, 1)) |
|
46 return 0; |
|
47 if (off) { |
|
48 switch (m->in_op & FILE_OPS_MASK) { |
|
49 @@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
50 offset = ~offset; |
|
51 break; |
|
52 case FILE_BESHORT: |
|
53 - if (nbytes < (offset + 2)) |
|
54 + if (OFFSET_OOB(nbytes, offset, 2)) |
|
55 return 0; |
|
56 if (off) { |
|
57 switch (m->in_op & FILE_OPS_MASK) { |
|
58 @@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
59 offset = ~offset; |
|
60 break; |
|
61 case FILE_LESHORT: |
|
62 - if (nbytes < (offset + 2)) |
|
63 + if (OFFSET_OOB(nbytes, offset, 2)) |
|
64 return 0; |
|
65 if (off) { |
|
66 switch (m->in_op & FILE_OPS_MASK) { |
|
67 @@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
68 offset = ~offset; |
|
69 break; |
|
70 case FILE_SHORT: |
|
71 - if (nbytes < (offset + 2)) |
|
72 + if (OFFSET_OOB(nbytes, offset, 2)) |
|
73 return 0; |
|
74 if (off) { |
|
75 switch (m->in_op & FILE_OPS_MASK) { |
|
76 @@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
77 break; |
|
78 case FILE_BELONG: |
|
79 case FILE_BEID3: |
|
80 - if (nbytes < (offset + 4)) |
|
81 + if (OFFSET_OOB(nbytes, offset, 4)) |
|
82 return 0; |
|
83 if (off) { |
|
84 switch (m->in_op & FILE_OPS_MASK) { |
|
85 @@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
86 break; |
|
87 case FILE_LELONG: |
|
88 case FILE_LEID3: |
|
89 - if (nbytes < (offset + 4)) |
|
90 + if (OFFSET_OOB(nbytes, offset, 4)) |
|
91 return 0; |
|
92 if (off) { |
|
93 switch (m->in_op & FILE_OPS_MASK) { |
|
94 @@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
95 offset = ~offset; |
|
96 break; |
|
97 case FILE_MELONG: |
|
98 - if (nbytes < (offset + 4)) |
|
99 + if (OFFSET_OOB(nbytes, offset, 4)) |
|
100 return 0; |
|
101 if (off) { |
|
102 switch (m->in_op & FILE_OPS_MASK) { |
|
103 @@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, |
|
104 offset = ~offset; |
|
105 break; |
|
106 case FILE_LONG: |
|
107 - if (nbytes < (offset + 4)) |
|
108 + if (OFFSET_OOB(nbytes, offset, 4)) |
|
109 return 0; |
|
110 if (off) { |
|
111 switch (m->in_op & FILE_OPS_MASK) { |