--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/160_php_18368537.patch Fri Apr 18 11:03:12 2014 -0700
@@ -0,0 +1,190 @@
+Fix for CVE-2014-1943
+Modified version of this patch:
+http://git.php.net/?p=php-src.git;a=patch;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3
+which is for php 5.4 code.
+php 5.4 code is here:
+http://git.php.net/?p=php-src.git;a=commit;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3
+Got this verson from [email protected] who is a
+PHP community member.
+Comparing the 2 versions and this one looks believable.
+
+
+php-5.3.28-CVE-2014-1943.diff
+
+diff -Naurp php-5.3.28/ext/fileinfo/libmagic/ascmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c
+--- php-5.3.28/ext/fileinfo/libmagic/ascmagic.c 2013-12-10 19:04:57.000000000 +0000
++++ php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c 2014-02-19 15:59:40.000000000 +0000
+@@ -145,7 +145,7 @@ file_ascmagic_with_encoding(struct magic
+ == NULL)
+ goto done;
+ if ((rv = file_softmagic(ms, utf8_buf,
+- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
++ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
+ rv = -1;
+ }
+
+diff -Naurp php-5.3.28/ext/fileinfo/libmagic/file.h php-5.3.28.oden/ext/fileinfo/libmagic/file.h
+--- php-5.3.28/ext/fileinfo/libmagic/file.h 2013-12-10 19:04:57.000000000 +0000
++++ php-5.3.28.oden/ext/fileinfo/libmagic/file.h 2014-02-19 15:59:40.000000000 +0000
+@@ -414,7 +414,7 @@ protected int file_encoding(struct magic
+ unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+- int, int);
++ size_t, int, int);
+ protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+ uint64_t);
+diff -Naurp php-5.3.28/ext/fileinfo/libmagic/funcs.c php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c
+--- php-5.3.28/ext/fileinfo/libmagic/funcs.c 2013-12-10 19:04:57.000000000 +0000
++++ php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c 2014-02-19 15:59:40.000000000 +0000
+@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st
+
+ /* try soft magic tests */
+ if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
++ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
+ looks_text)) != 0) {
+ if ((ms->flags & MAGIC_DEBUG) != 0)
+ (void)fprintf(stderr, "softmagic %d\n", m);
+diff -Naurp php-5.3.28/ext/fileinfo/libmagic/softmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c
+--- php-5.3.28/ext/fileinfo/libmagic/softmagic.c 2013-12-10 19:04:57.000000000 +0000
++++ php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c 2014-02-19 15:59:40.000000000 +0000
+@@ -48,9 +48,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1
+
+
+ private int match(struct magic_set *, struct magic *, uint32_t,
+- const unsigned char *, size_t, int, int);
++ const unsigned char *, size_t, int, int, int);
+ private int mget(struct magic_set *, const unsigned char *,
+- struct magic *, size_t, unsigned int, int);
++ struct magic *, size_t, unsigned int, int, int);
+ private int magiccheck(struct magic_set *, struct magic *);
+ private int32_t mprint(struct magic_set *, struct magic *);
+ private int32_t moffset(struct magic_set *, struct magic *);
+@@ -72,13 +72,13 @@ private void cvt_64(union VALUETYPE *, c
+ /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
+ protected int
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+- int mode, int text)
++ size_t level, int mode, int text)
+ {
+ struct mlist *ml;
+ int rv;
+ for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
+ if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
+- text)) != 0)
++ text, level)) != 0)
+ return rv;
+
+ return 0;
+@@ -113,7 +113,8 @@ file_softmagic(struct magic_set *ms, con
+ */
+ private int
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
+- const unsigned char *s, size_t nbytes, int mode, int text)
++ const unsigned char *s, size_t nbytes, int mode, int text,
++ int recursion_level)
+ {
+ uint32_t magindex = 0;
+ unsigned int cont_level = 0;
+@@ -145,7 +146,7 @@ match(struct magic_set *ms, struct magic
+ ms->line = m->lineno;
+
+ /* if main entry matches, print it... */
+- switch (mget(ms, s, m, nbytes, cont_level, text)) {
++ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
+ case -1:
+ return -1;
+ case 0:
+@@ -227,7 +228,7 @@ match(struct magic_set *ms, struct magic
+ continue;
+ }
+ #endif
+- switch (mget(ms, s, m, nbytes, cont_level, text)) {
++ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
+ case -1:
+ return -1;
+ case 0:
+@@ -997,12 +998,18 @@ mcopy(struct magic_set *ms, union VALUET
+
+ private int
+ mget(struct magic_set *ms, const unsigned char *s,
+- struct magic *m, size_t nbytes, unsigned int cont_level, int text)
++ struct magic *m, size_t nbytes, unsigned int cont_level, int text,
++ int recursion_level)
+ {
+ uint32_t offset = ms->offset;
+ uint32_t count = m->str_range;
+ union VALUETYPE *p = &ms->ms_value;
+
++ if (recursion_level >= 20) {
++ file_error(ms, 0, "recursion nesting exceeded");
++ return -1;
++ }
++
+ if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
+ return -1;
+
+@@ -1550,13 +1557,15 @@ mget(struct magic_set *ms, const unsigne
+ break;
+
+ case FILE_INDIRECT:
++ if (offset == 0)
++ return 0;
+ if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+ file_printf(ms, "%s", m->desc) == -1)
+ return -1;
+ if (nbytes < offset)
+ return 0;
+ return file_softmagic(ms, s + offset, nbytes - offset,
+- BINTEST, text);
++ recursion_level, BINTEST, text);
+
+ case FILE_DEFAULT: /* nothing to check */
+ default:
+diff -Naurp php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt
+--- php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt 1970-01-01 00:00:00.000000000 +0000
++++ php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt 2014-02-19 16:00:20.000000000 +0000
+@@ -0,0 +1,39 @@
++--TEST--
++Bug #66731: file: infinite recursion
++--SKIPIF--
++<?php
++if (!class_exists('finfo'))
++ die('skip no fileinfo extension');
++--FILE--
++<?php
++$fd = __DIR__.'/cve-2014-1943.data';
++$fm = __DIR__.'/cve-2014-1943.magic';
++
++$a = "\105\122\000\000\000\000\000";
++$b = str_repeat("\001", 250000);
++$m = "0 byte x\n".
++ ">(1.b) indirect x\n";
++
++file_put_contents($fd, $a);
++$fi = finfo_open(FILEINFO_NONE);
++var_dump(finfo_file($fi, $fd));
++finfo_close($fi);
++
++file_put_contents($fd, $b);
++file_put_contents($fm, $m);
++$fi = finfo_open(FILEINFO_NONE, $fm);
++var_dump(finfo_file($fi, $fd));
++finfo_close($fi);
++?>
++Done
++--CLEAN--
++<?php
++@unlink(__DIR__.'/cve-2014-1943.data');
++@unlink(__DIR__.'/cve-2014-1943.magic');
++?>
++--EXPECTF--
++string(%d) "%s"
++
++Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
++bool(false)
++Done
+
+