current/SOURCES/php-5.5.9-CVE-2014-1943.diff


http://git.php.net/?p=php-src.git;a=commit;h=89f864c547014646e71862df3664e3ff33d7143d

diff -Naurp php-5.5.9/ext/fileinfo/libmagic/ascmagic.c php-5.5.9.oden/ext/fileinfo/libmagic/ascmagic.c
--- php-5.5.9/ext/fileinfo/libmagic/ascmagic.c  2014-02-05 11:00:36.000000000 +0100
+++ php-5.5.9.oden/ext/fileinfo/libmagic/ascmagic.c     2014-02-19 16:39:15.867392577 +0100
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic
                    == NULL)
                        goto done;
                if ((rv = file_softmagic(ms, utf8_buf,
-                   (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+                   (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
                        rv = -1;
        }
 
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/file.h php-5.5.9.oden/ext/fileinfo/libmagic/file.h
--- php-5.5.9/ext/fileinfo/libmagic/file.h      2014-02-05 11:00:36.000000000 +0100
+++ php-5.5.9.oden/ext/fileinfo/libmagic/file.h 2014-02-19 16:39:15.868392577 +0100
@@ -437,7 +437,7 @@ protected int file_encoding(struct magic
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    int, int);
+    size_t, int, int);
 protected int file_apprentice(struct magic_set *, const char *, int);
 protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
 protected uint64_t file_signextend(struct magic_set *, struct magic *,
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/funcs.c php-5.5.9.oden/ext/fileinfo/libmagic/funcs.c
--- php-5.5.9/ext/fileinfo/libmagic/funcs.c     2014-02-05 11:00:36.000000000 +0100
+++ php-5.5.9.oden/ext/fileinfo/libmagic/funcs.c        2014-02-19 16:39:15.868392577 +0100
@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st
 
        /* try soft magic tests */
        if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-               if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+               if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
                    looks_text)) != 0) {
                        if ((ms->flags & MAGIC_DEBUG) != 0)
                                (void)fprintf(stderr, "softmagic %d\n", m);
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/softmagic.c php-5.5.9.oden/ext/fileinfo/libmagic/softmagic.c
--- php-5.5.9/ext/fileinfo/libmagic/softmagic.c 2014-02-05 11:00:36.000000000 +0100
+++ php-5.5.9.oden/ext/fileinfo/libmagic/softmagic.c    2014-02-19 16:39:15.869392578 +0100
@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, c
 /*ARGSUSED1*/          /* nbytes passed for regularity, maybe need later */
 protected int
 file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
-    int mode, int text)
+    size_t level, int mode, int text)
 {
        struct mlist *ml;
        int rv, printed_something = 0, need_separator = 0;
        for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
                if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
-                   text, 0, 0, &printed_something, &need_separator,
+                   text, 0, level, &printed_something, &need_separator,
                    NULL)) != 0)
                        return rv;
 
@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigne
                break;
 
        case FILE_INDIRECT:
+               if (offset == 0)
+                       return 0;
                if (nbytes < offset)
                        return 0;
                sbuf = ms->o.buf;
@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigne
                ms->o.buf = NULL;
                ms->offset = 0;
                rv = file_softmagic(ms, s + offset, nbytes - offset,
-                   BINTEST, text);
+                   recursion_level, BINTEST, text);
                if ((ms->flags & MAGIC_DEBUG) != 0)
                        fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
                rbuf = ms->o.buf;
diff -Naurp php-5.5.9/ext/fileinfo/tests/cve-2014-1943.phpt php-5.5.9.oden/ext/fileinfo/tests/cve-2014-1943.phpt
--- php-5.5.9/ext/fileinfo/tests/cve-2014-1943.phpt     1970-01-01 01:00:00.000000000 +0100
+++ php-5.5.9.oden/ext/fileinfo/tests/cve-2014-1943.phpt        2014-02-19 16:39:15.869392578 +0100
@@ -0,0 +1,39 @@
+--TEST--
+Bug #66731: file: infinite recursion
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+       die('skip no fileinfo extension');
+--FILE--
+<?php
+$fd = __DIR__.'/cve-2014-1943.data';
+$fm = __DIR__.'/cve-2014-1943.magic';
+
+$a = "\105\122\000\000\000\000\000";
+$b = str_repeat("\001", 250000);
+$m =  "0           byte        x\n".
+      ">(1.b)      indirect    x\n";
+
+file_put_contents($fd, $a);
+$fi = finfo_open(FILEINFO_NONE);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+
+file_put_contents($fd, $b);
+file_put_contents($fm, $m);
+$fi = finfo_open(FILEINFO_NONE, $fm);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+?>
+Done
+--CLEAN--
+<?php
+@unlink(__DIR__.'/cve-2014-1943.data');
+@unlink(__DIR__.'/cve-2014-1943.magic');
+?>
+--EXPECTF--
+string(%d) "%s"
+
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
+bool(false)
+Done
1
2	http://git.php.net/?p=php-src.git;a=commit;h=89f864c547014646e71862df3664e3ff33d7143d
3
4	diff -Naurp php-5.5.9/ext/fileinfo/libmagic/ascmagic.c php-5.5.9.oden/ext/fileinfo/libmagic/ascmagic.c
5	--- php-5.5.9/ext/fileinfo/libmagic/ascmagic.c 2014-02-05 11:00:36.000000000 +0100
6	+++ php-5.5.9.oden/ext/fileinfo/libmagic/ascmagic.c 2014-02-19 16:39:15.867392577 +0100
7	@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic
8	== NULL)
9	goto done;
10	if ((rv = file_softmagic(ms, utf8_buf,
11	- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
12	+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
13	rv = -1;
14	}
15
16	diff -Naurp php-5.5.9/ext/fileinfo/libmagic/file.h php-5.5.9.oden/ext/fileinfo/libmagic/file.h
17	--- php-5.5.9/ext/fileinfo/libmagic/file.h 2014-02-05 11:00:36.000000000 +0100
18	+++ php-5.5.9.oden/ext/fileinfo/libmagic/file.h 2014-02-19 16:39:15.868392577 +0100
19	@@ -437,7 +437,7 @@ protected int file_encoding(struct magic
20	unichar *, size_t , const char , const char , const char **);
21	protected int file_is_tar(struct magic_set , const unsigned char , size_t);
22	protected int file_softmagic(struct magic_set , const unsigned char , size_t,
23	- int, int);
24	+ size_t, int, int);
25	protected int file_apprentice(struct magic_set , const char , int);
26	protected int file_magicfind(struct magic_set , const char , struct mlist *);
27	protected uint64_t file_signextend(struct magic_set , struct magic ,
28	diff -Naurp php-5.5.9/ext/fileinfo/libmagic/funcs.c php-5.5.9.oden/ext/fileinfo/libmagic/funcs.c
29	--- php-5.5.9/ext/fileinfo/libmagic/funcs.c 2014-02-05 11:00:36.000000000 +0100
30	+++ php-5.5.9.oden/ext/fileinfo/libmagic/funcs.c 2014-02-19 16:39:15.868392577 +0100
31	@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st
32
33	/* try soft magic tests */
34	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
35	- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
36	+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
37	looks_text)) != 0) {
38	if ((ms->flags & MAGIC_DEBUG) != 0)
39	(void)fprintf(stderr, "softmagic %d\n", m);
40	diff -Naurp php-5.5.9/ext/fileinfo/libmagic/softmagic.c php-5.5.9.oden/ext/fileinfo/libmagic/softmagic.c
41	--- php-5.5.9/ext/fileinfo/libmagic/softmagic.c 2014-02-05 11:00:36.000000000 +0100
42	+++ php-5.5.9.oden/ext/fileinfo/libmagic/softmagic.c 2014-02-19 16:39:15.869392578 +0100
43	@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, c
44	/ARGSUSED1/ /* nbytes passed for regularity, maybe need later */
45	protected int
46	file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes,
47	- int mode, int text)
48	+ size_t level, int mode, int text)
49	{
50	struct mlist *ml;
51	int rv, printed_something = 0, need_separator = 0;
52	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
53	if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
54	- text, 0, 0, &printed_something, &need_separator,
55	+ text, 0, level, &printed_something, &need_separator,
56	NULL)) != 0)
57	return rv;
58
59	@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigne
60	break;
61
62	case FILE_INDIRECT:
63	+ if (offset == 0)
64	+ return 0;
65	if (nbytes < offset)
66	return 0;
67	sbuf = ms->o.buf;
68	@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigne
69	ms->o.buf = NULL;
70	ms->offset = 0;
71	rv = file_softmagic(ms, s + offset, nbytes - offset,
72	- BINTEST, text);
73	+ recursion_level, BINTEST, text);
74	if ((ms->flags & MAGIC_DEBUG) != 0)
75	fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
76	rbuf = ms->o.buf;
77	diff -Naurp php-5.5.9/ext/fileinfo/tests/cve-2014-1943.phpt php-5.5.9.oden/ext/fileinfo/tests/cve-2014-1943.phpt
78	--- php-5.5.9/ext/fileinfo/tests/cve-2014-1943.phpt 1970-01-01 01:00:00.000000000 +0100
79	+++ php-5.5.9.oden/ext/fileinfo/tests/cve-2014-1943.phpt 2014-02-19 16:39:15.869392578 +0100
80	@@ -0,0 +1,39 @@
81	+--TEST--
82	+Bug #66731: file: infinite recursion
83	+--SKIPIF--
84	+<?php
85	+if (!class_exists('finfo'))
86	+ die('skip no fileinfo extension');
87	+--FILE--
88	+<?php
89	+$fd = __DIR__.'/cve-2014-1943.data';
90	+$fm = __DIR__.'/cve-2014-1943.magic';
91	+
92	+$a = "\105\122\000\000\000\000\000";
93	+$b = str_repeat("\001", 250000);
94	+$m = "0 byte x\n".
95	+ ">(1.b) indirect x\n";
96	+
97	+file_put_contents($fd, $a);
98	+$fi = finfo_open(FILEINFO_NONE);
99	+var_dump(finfo_file($fi, $fd));
100	+finfo_close($fi);
101	+
102	+file_put_contents($fd, $b);
103	+file_put_contents($fm, $m);
104	+$fi = finfo_open(FILEINFO_NONE, $fm);
105	+var_dump(finfo_file($fi, $fd));
106	+finfo_close($fi);
107	+?>
108	+Done
109	+--CLEAN--
110	+<?php
111	+@unlink(__DIR__.'/cve-2014-1943.data');
112	+@unlink(__DIR__.'/cve-2014-1943.magic');
113	+?>
114	+--EXPECTF--
115	+string(%d) "%s"
116	+
117	+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
118	+bool(false)
119	+Done