components/php-5_3/php-sapi/patches/160_php_18368537.patch
author Craig Mohrman <craig.mohrman@oracle.com>
Fri, 18 Apr 2014 11:03:12 -0700
branchs11u1-sru
changeset 3086 649b12aa87ce
permissions -rw-r--r--
17362112 problem in UTILITY/PHP 18083695 problem in UTILITY/PHP 18181920 remove BUILD_VERSION from php package manifests 18368537 problem in UTILITY/PHP 18368630 problem in UTILITY/PHP
Fix for CVE-2014-1943
Modified version of this patch:
http://git.php.net/?p=php-src.git;a=patch;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3
which is for php 5.4 code.
php 5.4 code is here:
http://git.php.net/?p=php-src.git;a=commit;h=fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3
Got this verson from [email protected] who is a
PHP community member.
Comparing the 2 versions and this one looks believable.


php-5.3.28-CVE-2014-1943.diff

diff -Naurp php-5.3.28/ext/fileinfo/libmagic/ascmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c
--- php-5.3.28/ext/fileinfo/libmagic/ascmagic.c	2013-12-10 19:04:57.000000000 +0000
+++ php-5.3.28.oden/ext/fileinfo/libmagic/ascmagic.c	2014-02-19 15:59:40.000000000 +0000
@@ -145,7 +145,7 @@ file_ascmagic_with_encoding(struct magic
 		    == NULL)
 			goto done;
 		if ((rv = file_softmagic(ms, utf8_buf,
-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
 			rv = -1;
 	}
 
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/file.h php-5.3.28.oden/ext/fileinfo/libmagic/file.h
--- php-5.3.28/ext/fileinfo/libmagic/file.h	2013-12-10 19:04:57.000000000 +0000
+++ php-5.3.28.oden/ext/fileinfo/libmagic/file.h	2014-02-19 15:59:40.000000000 +0000
@@ -414,7 +414,7 @@ protected int file_encoding(struct magic
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    int, int);
+    size_t, int, int);
 protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 protected uint64_t file_signextend(struct magic_set *, struct magic *,
     uint64_t);
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/funcs.c php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c
--- php-5.3.28/ext/fileinfo/libmagic/funcs.c	2013-12-10 19:04:57.000000000 +0000
+++ php-5.3.28.oden/ext/fileinfo/libmagic/funcs.c	2014-02-19 15:59:40.000000000 +0000
@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st
 
 	/* try soft magic tests */
 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
 		    looks_text)) != 0) {
 			if ((ms->flags & MAGIC_DEBUG) != 0)
 				(void)fprintf(stderr, "softmagic %d\n", m);
diff -Naurp php-5.3.28/ext/fileinfo/libmagic/softmagic.c php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c
--- php-5.3.28/ext/fileinfo/libmagic/softmagic.c	2013-12-10 19:04:57.000000000 +0000
+++ php-5.3.28.oden/ext/fileinfo/libmagic/softmagic.c	2014-02-19 15:59:40.000000000 +0000
@@ -48,9 +48,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1
 
 
 private int match(struct magic_set *, struct magic *, uint32_t,
-    const unsigned char *, size_t, int, int);
+    const unsigned char *, size_t, int, int, int);
 private int mget(struct magic_set *, const unsigned char *,
-    struct magic *, size_t, unsigned int, int);
+    struct magic *, size_t, unsigned int, int, int);
 private int magiccheck(struct magic_set *, struct magic *);
 private int32_t mprint(struct magic_set *, struct magic *);
 private int32_t moffset(struct magic_set *, struct magic *);
@@ -72,13 +72,13 @@ private void cvt_64(union VALUETYPE *, c
 /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
 protected int
 file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
-    int mode, int text)
+    size_t level, int mode, int text)
 {
 	struct mlist *ml;
 	int rv;
 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
-		    text)) != 0)
+		    text, level)) != 0)
 			return rv;
 
 	return 0;
@@ -113,7 +113,8 @@ file_softmagic(struct magic_set *ms, con
  */
 private int
 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
-    const unsigned char *s, size_t nbytes, int mode, int text)
+    const unsigned char *s, size_t nbytes, int mode, int text,
+    int recursion_level)
 {
 	uint32_t magindex = 0;
 	unsigned int cont_level = 0;
@@ -145,7 +146,7 @@ match(struct magic_set *ms, struct magic
 		ms->line = m->lineno;
 
 		/* if main entry matches, print it... */
-		switch (mget(ms, s, m, nbytes, cont_level, text)) {
+		switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
 		case -1:
 			return -1;
 		case 0:
@@ -227,7 +228,7 @@ match(struct magic_set *ms, struct magic
 					continue;
 			}
 #endif
-			switch (mget(ms, s, m, nbytes, cont_level, text)) {
+			switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
 			case -1:
 				return -1;
 			case 0:
@@ -997,12 +998,18 @@ mcopy(struct magic_set *ms, union VALUET
 
 private int
 mget(struct magic_set *ms, const unsigned char *s,
-    struct magic *m, size_t nbytes, unsigned int cont_level, int text)
+    struct magic *m, size_t nbytes, unsigned int cont_level, int text,
+    int recursion_level)
 {
 	uint32_t offset = ms->offset;
 	uint32_t count = m->str_range;
 	union VALUETYPE *p = &ms->ms_value;
 
+        if (recursion_level >= 20) {
+                file_error(ms, 0, "recursion nesting exceeded");
+                return -1;
+        }
+
 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
 		return -1;
 
@@ -1550,13 +1557,15 @@ mget(struct magic_set *ms, const unsigne
 		break;
 
 	case FILE_INDIRECT:
+		if (offset == 0)
+			return 0;
 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 		    file_printf(ms, "%s", m->desc) == -1)
 			return -1;
 		if (nbytes < offset)
 			return 0;
 		return file_softmagic(ms, s + offset, nbytes - offset,
-		    BINTEST, text);
+		    recursion_level, BINTEST, text);
 
 	case FILE_DEFAULT:	/* nothing to check */
 	default:
diff -Naurp php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt
--- php-5.3.28/ext/fileinfo/tests/cve-2014-1943.phpt	1970-01-01 00:00:00.000000000 +0000
+++ php-5.3.28.oden/ext/fileinfo/tests/cve-2014-1943.phpt	2014-02-19 16:00:20.000000000 +0000
@@ -0,0 +1,39 @@
+--TEST--
+Bug #66731: file: infinite recursion
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+	die('skip no fileinfo extension');
+--FILE--
+<?php
+$fd = __DIR__.'/cve-2014-1943.data';
+$fm = __DIR__.'/cve-2014-1943.magic';
+
+$a = "\105\122\000\000\000\000\000";
+$b = str_repeat("\001", 250000);
+$m =  "0           byte        x\n".
+      ">(1.b)      indirect    x\n";
+
+file_put_contents($fd, $a);
+$fi = finfo_open(FILEINFO_NONE);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+
+file_put_contents($fd, $b);
+file_put_contents($fm, $m);
+$fi = finfo_open(FILEINFO_NONE, $fm);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+?>
+Done
+--CLEAN--
+<?php
[email protected](__DIR__.'/cve-2014-1943.data');
[email protected](__DIR__.'/cve-2014-1943.magic');
+?>
+--EXPECTF--
+string(%d) "%s"
+
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
+bool(false)
+Done