Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/210_php_19556437.patch
branchs11u2-sru
changeset 3810 8421290d92e0 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/210_php_19556437.patch	Wed Feb 11 10:30:02 2015 -0800
@@ -0,0 +1,98 @@
+Fix for CVE-2014-3538
+Patch from PHP community:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
+But this is for php 5.4.32.
+The website:
+http://permalink.gmane.org/gmane.linux.frugalware.scm/131282
+shows a patch for php 5.3.26 so I've hand crafted a patch
+based on both websites.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/softmagic.c_orig	2014-10-20 16:46:35.678013082 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/softmagic.c	2014-10-22 13:51:20.141509243 -0700
+@@ -56,7 +56,7 @@
+ private int32_t moffset(struct magic_set *, struct magic *);
+ private void mdebug(uint32_t, const char *, size_t);
+ private int mcopy(struct magic_set *, union VALUETYPE *, int, int,
+-    const unsigned char *, uint32_t, size_t, size_t);
++    const unsigned char *, uint32_t, size_t, struct magic *);
+ private int mconvert(struct magic_set *, struct magic *);
+ private int print_sep(struct magic_set *, int);
+ private int handle_annotation(struct magic_set *, struct magic *);
+@@ -898,7 +898,7 @@
+ 
+ private int
+ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+-    const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt)
++    const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m)
+ {
+ 	/*
+ 	 * Note: FILE_SEARCH and FILE_REGEX do not actually copy
+@@ -918,15 +918,24 @@
+ 			const char *last;	/* end of search region */
+ 			const char *buf;	/* start of search region */
+ 			const char *end;
+-			size_t lines;
++			size_t lines, linecnt, bytecnt;
++			 
++			linecnt = m->str_range;
++			bytecnt = linecnt * 80;
+ 
++			if (bytecnt == 0) {
++				bytecnt = 8192;
++			}
++			if (bytecnt > nbytes) {
++				bytecnt = nbytes;
++			}
+ 			if (s == NULL) {
+ 				ms->search.s_len = 0;
+ 				ms->search.s = NULL;
+ 				return 0;
+ 			}
+ 			buf = RCAST(const char *, s) + offset;
+-			end = last = RCAST(const char *, s) + nbytes;
++			end = last = RCAST(const char *, s) + bytecnt;
+ 			/* mget() guarantees buf <= last */
+ 			for (lines = linecnt, b = buf; lines && b < end &&
+ 			     ((b = CAST(const char *,
+@@ -939,7 +948,7 @@
+ 					b++;
+ 			}
+ 			if (lines)
+-				last = RCAST(const char *, s) + nbytes;
++				last = RCAST(const char *, s) + bytecnt;
+ 
+ 			ms->search.s = buf;
+ 			ms->search.s_len = last - buf;
+@@ -1012,7 +1021,6 @@
+     int recursion_level)
+ {
+ 	uint32_t offset = ms->offset;
+-	uint32_t count = m->str_range;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 
+         if (recursion_level >= 20) {
+@@ -1020,10 +1028,13 @@
+                 return -1;
+         }
+ 
+-	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
++	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset,
++	    (uint32_t)nbytes, m) == -1)
+ 		return -1;
+ 
+ 	if ((ms->flags & MAGIC_DEBUG) != 0) {
++		fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, "
++		    "nbytes=%zu)\n", m->type, m->flag, offset, nbytes);
+ 		mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
+ 	}
+ 
+@@ -1504,7 +1515,7 @@
+ 		if (m->flag & INDIROFFADD) {
+ 			offset += ms->c.li[cont_level-1].off;
+ 		}
+-		if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1)
++		if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1)
+ 			return -1;
+ 		ms->offset = offset;
+
upstream/oracle/userland-gate