components/php-5_3/php-sapi/patches/160_php_18368537.patch
branchs11u1-sru
changeset 3086 649b12aa87ce
equal deleted inserted replaced
3083:6826bd655a25 3086:649b12aa87ce
       
     1 Fix for CVE-2014-1943
       
     2 Modified version of this patch:
       
     3 http://git.php.net/?p=php-src.git;a=patch;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3
       
     4 which is for php 5.4 code.
       
     5 php 5.4 code is here:
       
     6 http://git.php.net/?p=php-src.git;a=commit;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3
       
     7 Got this verson from [email protected] who is a
       
     8 PHP community member.
       
     9 Comparing the 2 versions and this one looks believable.
       
    10 
       
    11 
       
    12 php-5.3.28-CVE-2014-1943.diff
       
    13 
       
    14 diff -Naurp php-5.3.28/ext/fileinfo/libmagic/ascmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c
       
    15 --- php-5.3.28/ext/fileinfo/libmagic/ascmagic.c	2013-12-10 19:04:57.000000000 +0000
       
    16 +++ php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c	2014-02-19 15:59:40.000000000 +0000
       
    17 @@ -145,7 +145,7 @@ file_ascmagic_with_encoding(struct magic
       
    18  		    == NULL)
       
    19  			goto done;
       
    20  		if ((rv = file_softmagic(ms, utf8_buf,
       
    21 -		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
       
    22 +		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
       
    23  			rv = -1;
       
    24  	}
       
    25  
       
    26 diff -Naurp php-5.3.28/ext/fileinfo/libmagic/file.h php-5.3.28.oden/ext/fileinfo/libmagic/file.h
       
    27 --- php-5.3.28/ext/fileinfo/libmagic/file.h	2013-12-10 19:04:57.000000000 +0000
       
    28 +++ php-5.3.28.oden/ext/fileinfo/libmagic/file.h	2014-02-19 15:59:40.000000000 +0000
       
    29 @@ -414,7 +414,7 @@ protected int file_encoding(struct magic
       
    30      unichar **, size_t *, const char **, const char **, const char **);
       
    31  protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
       
    32  protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
       
    33 -    int, int);
       
    34 +    size_t, int, int);
       
    35  protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
       
    36  protected uint64_t file_signextend(struct magic_set *, struct magic *,
       
    37      uint64_t);
       
    38 diff -Naurp php-5.3.28/ext/fileinfo/libmagic/funcs.c php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c
       
    39 --- php-5.3.28/ext/fileinfo/libmagic/funcs.c	2013-12-10 19:04:57.000000000 +0000
       
    40 +++ php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c	2014-02-19 15:59:40.000000000 +0000
       
    41 @@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st
       
    42  
       
    43  	/* try soft magic tests */
       
    44  	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
       
    45 -		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
       
    46 +		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
       
    47  		    looks_text)) != 0) {
       
    48  			if ((ms->flags & MAGIC_DEBUG) != 0)
       
    49  				(void)fprintf(stderr, "softmagic %d\n", m);
       
    50 diff -Naurp php-5.3.28/ext/fileinfo/libmagic/softmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c
       
    51 --- php-5.3.28/ext/fileinfo/libmagic/softmagic.c	2013-12-10 19:04:57.000000000 +0000
       
    52 +++ php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c	2014-02-19 15:59:40.000000000 +0000
       
    53 @@ -48,9 +48,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1
       
    54  
       
    55  
       
    56  private int match(struct magic_set *, struct magic *, uint32_t,
       
    57 -    const unsigned char *, size_t, int, int);
       
    58 +    const unsigned char *, size_t, int, int, int);
       
    59  private int mget(struct magic_set *, const unsigned char *,
       
    60 -    struct magic *, size_t, unsigned int, int);
       
    61 +    struct magic *, size_t, unsigned int, int, int);
       
    62  private int magiccheck(struct magic_set *, struct magic *);
       
    63  private int32_t mprint(struct magic_set *, struct magic *);
       
    64  private int32_t moffset(struct magic_set *, struct magic *);
       
    65 @@ -72,13 +72,13 @@ private void cvt_64(union VALUETYPE *, c
       
    66  /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
       
    67  protected int
       
    68  file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
       
    69 -    int mode, int text)
       
    70 +    size_t level, int mode, int text)
       
    71  {
       
    72  	struct mlist *ml;
       
    73  	int rv;
       
    74  	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
       
    75  		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
       
    76 -		    text)) != 0)
       
    77 +		    text, level)) != 0)
       
    78  			return rv;
       
    79  
       
    80  	return 0;
       
    81 @@ -113,7 +113,8 @@ file_softmagic(struct magic_set *ms, con
       
    82   */
       
    83  private int
       
    84  match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
       
    85 -    const unsigned char *s, size_t nbytes, int mode, int text)
       
    86 +    const unsigned char *s, size_t nbytes, int mode, int text,
       
    87 +    int recursion_level)
       
    88  {
       
    89  	uint32_t magindex = 0;
       
    90  	unsigned int cont_level = 0;
       
    91 @@ -145,7 +146,7 @@ match(struct magic_set *ms, struct magic
       
    92  		ms->line = m->lineno;
       
    93  
       
    94  		/* if main entry matches, print it... */
       
    95 -		switch (mget(ms, s, m, nbytes, cont_level, text)) {
       
    96 +		switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
       
    97  		case -1:
       
    98  			return -1;
       
    99  		case 0:
       
   100 @@ -227,7 +228,7 @@ match(struct magic_set *ms, struct magic
       
   101  					continue;
       
   102  			}
       
   103  #endif
       
   104 -			switch (mget(ms, s, m, nbytes, cont_level, text)) {
       
   105 +			switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
       
   106  			case -1:
       
   107  				return -1;
       
   108  			case 0:
       
   109 @@ -997,12 +998,18 @@ mcopy(struct magic_set *ms, union VALUET
       
   110  
       
   111  private int
       
   112  mget(struct magic_set *ms, const unsigned char *s,
       
   113 -    struct magic *m, size_t nbytes, unsigned int cont_level, int text)
       
   114 +    struct magic *m, size_t nbytes, unsigned int cont_level, int text,
       
   115 +    int recursion_level)
       
   116  {
       
   117  	uint32_t offset = ms->offset;
       
   118  	uint32_t count = m->str_range;
       
   119  	union VALUETYPE *p = &ms->ms_value;
       
   120  
       
   121 +        if (recursion_level >= 20) {
       
   122 +                file_error(ms, 0, "recursion nesting exceeded");
       
   123 +                return -1;
       
   124 +        }
       
   125 +
       
   126  	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
       
   127  		return -1;
       
   128  
       
   129 @@ -1550,13 +1557,15 @@ mget(struct magic_set *ms, const unsigne
       
   130  		break;
       
   131  
       
   132  	case FILE_INDIRECT:
       
   133 +		if (offset == 0)
       
   134 +			return 0;
       
   135  	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
       
   136  		    file_printf(ms, "%s", m->desc) == -1)
       
   137  			return -1;
       
   138  		if (nbytes < offset)
       
   139  			return 0;
       
   140  		return file_softmagic(ms, s + offset, nbytes - offset,
       
   141 -		    BINTEST, text);
       
   142 +		    recursion_level, BINTEST, text);
       
   143  
       
   144  	case FILE_DEFAULT:	/* nothing to check */
       
   145  	default:
       
   146 diff -Naurp php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt
       
   147 --- php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt	1970-01-01 00:00:00.000000000 +0000
       
   148 +++ php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt	2014-02-19 16:00:20.000000000 +0000
       
   149 @@ -0,0 +1,39 @@
       
   150 +--TEST--
       
   151 +Bug #66731: file: infinite recursion
       
   152 +--SKIPIF--
       
   153 +<?php
       
   154 +if (!class_exists('finfo'))
       
   155 +	die('skip no fileinfo extension');
       
   156 +--FILE--
       
   157 +<?php
       
   158 +$fd = __DIR__.'/cve-2014-1943.data';
       
   159 +$fm = __DIR__.'/cve-2014-1943.magic';
       
   160 +
       
   161 +$a = "\105\122\000\000\000\000\000";
       
   162 +$b = str_repeat("\001", 250000);
       
   163 +$m =  "0           byte        x\n".
       
   164 +      ">(1.b)      indirect    x\n";
       
   165 +
       
   166 +file_put_contents($fd, $a);
       
   167 +$fi = finfo_open(FILEINFO_NONE);
       
   168 +var_dump(finfo_file($fi, $fd));
       
   169 +finfo_close($fi);
       
   170 +
       
   171 +file_put_contents($fd, $b);
       
   172 +file_put_contents($fm, $m);
       
   173 +$fi = finfo_open(FILEINFO_NONE, $fm);
       
   174 +var_dump(finfo_file($fi, $fd));
       
   175 +finfo_close($fi);
       
   176 +?>
       
   177 +Done
       
   178 +--CLEAN--
       
   179 +<?php
       
   180 [email protected](__DIR__.'/cve-2014-1943.data');
       
   181 [email protected](__DIR__.'/cve-2014-1943.magic');
       
   182 +?>
       
   183 +--EXPECTF--
       
   184 +string(%d) "%s"
       
   185 +
       
   186 +Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
       
   187 +bool(false)
       
   188 +Done
       
   189 
       
   190