1 |
|
2 |
http://git.php.net/?p=php-src.git;a=commit;h=89f864c547014646e71862df3664e3ff33d7143d |
3 |
|
4 |
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/ascmagic.c php-5.5.9.oden/ext/fileinfo/libmagic/ascmagic.c |
5 |
--- php-5.5.9/ext/fileinfo/libmagic/ascmagic.c 2014-02-05 11:00:36.000000000 +0100 |
6 |
+++ php-5.5.9.oden/ext/fileinfo/libmagic/ascmagic.c 2014-02-19 16:39:15.867392577 +0100 |
7 |
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic |
8 |
== NULL) |
9 |
goto done; |
10 |
if ((rv = file_softmagic(ms, utf8_buf, |
11 |
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) |
12 |
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) |
13 |
rv = -1; |
14 |
} |
15 |
|
16 |
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/file.h php-5.5.9.oden/ext/fileinfo/libmagic/file.h |
17 |
--- php-5.5.9/ext/fileinfo/libmagic/file.h 2014-02-05 11:00:36.000000000 +0100 |
18 |
+++ php-5.5.9.oden/ext/fileinfo/libmagic/file.h 2014-02-19 16:39:15.868392577 +0100 |
19 |
@@ -437,7 +437,7 @@ protected int file_encoding(struct magic |
20 |
unichar **, size_t *, const char **, const char **, const char **); |
21 |
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); |
22 |
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, |
23 |
- int, int); |
24 |
+ size_t, int, int); |
25 |
protected int file_apprentice(struct magic_set *, const char *, int); |
26 |
protected int file_magicfind(struct magic_set *, const char *, struct mlist *); |
27 |
protected uint64_t file_signextend(struct magic_set *, struct magic *, |
28 |
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/funcs.c php-5.5.9.oden/ext/fileinfo/libmagic/funcs.c |
29 |
--- php-5.5.9/ext/fileinfo/libmagic/funcs.c 2014-02-05 11:00:36.000000000 +0100 |
30 |
+++ php-5.5.9.oden/ext/fileinfo/libmagic/funcs.c 2014-02-19 16:39:15.868392577 +0100 |
31 |
@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st |
32 |
|
33 |
/* try soft magic tests */ |
34 |
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) |
35 |
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST, |
36 |
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, |
37 |
looks_text)) != 0) { |
38 |
if ((ms->flags & MAGIC_DEBUG) != 0) |
39 |
(void)fprintf(stderr, "softmagic %d\n", m); |
40 |
diff -Naurp php-5.5.9/ext/fileinfo/libmagic/softmagic.c php-5.5.9.oden/ext/fileinfo/libmagic/softmagic.c |
41 |
--- php-5.5.9/ext/fileinfo/libmagic/softmagic.c 2014-02-05 11:00:36.000000000 +0100 |
42 |
+++ php-5.5.9.oden/ext/fileinfo/libmagic/softmagic.c 2014-02-19 16:39:15.869392578 +0100 |
43 |
@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, c |
44 |
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ |
45 |
protected int |
46 |
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, |
47 |
- int mode, int text) |
48 |
+ size_t level, int mode, int text) |
49 |
{ |
50 |
struct mlist *ml; |
51 |
int rv, printed_something = 0, need_separator = 0; |
52 |
for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next) |
53 |
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode, |
54 |
- text, 0, 0, &printed_something, &need_separator, |
55 |
+ text, 0, level, &printed_something, &need_separator, |
56 |
NULL)) != 0) |
57 |
return rv; |
58 |
|
59 |
@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigne |
60 |
break; |
61 |
|
62 |
case FILE_INDIRECT: |
63 |
+ if (offset == 0) |
64 |
+ return 0; |
65 |
if (nbytes < offset) |
66 |
return 0; |
67 |
sbuf = ms->o.buf; |
68 |
@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigne |
69 |
ms->o.buf = NULL; |
70 |
ms->offset = 0; |
71 |
rv = file_softmagic(ms, s + offset, nbytes - offset, |
72 |
- BINTEST, text); |
73 |
+ recursion_level, BINTEST, text); |
74 |
if ((ms->flags & MAGIC_DEBUG) != 0) |
75 |
fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); |
76 |
rbuf = ms->o.buf; |
77 |
diff -Naurp php-5.5.9/ext/fileinfo/tests/cve-2014-1943.phpt php-5.5.9.oden/ext/fileinfo/tests/cve-2014-1943.phpt |
78 |
--- php-5.5.9/ext/fileinfo/tests/cve-2014-1943.phpt 1970-01-01 01:00:00.000000000 +0100 |
79 |
+++ php-5.5.9.oden/ext/fileinfo/tests/cve-2014-1943.phpt 2014-02-19 16:39:15.869392578 +0100 |
80 |
@@ -0,0 +1,39 @@ |
81 |
+--TEST-- |
82 |
+Bug #66731: file: infinite recursion |
83 |
+--SKIPIF-- |
84 |
+<?php |
85 |
+if (!class_exists('finfo')) |
86 |
+ die('skip no fileinfo extension'); |
87 |
+--FILE-- |
88 |
+<?php |
89 |
+$fd = __DIR__.'/cve-2014-1943.data'; |
90 |
+$fm = __DIR__.'/cve-2014-1943.magic'; |
91 |
+ |
92 |
+$a = "\105\122\000\000\000\000\000"; |
93 |
+$b = str_repeat("\001", 250000); |
94 |
+$m = "0 byte x\n". |
95 |
+ ">(1.b) indirect x\n"; |
96 |
+ |
97 |
+file_put_contents($fd, $a); |
98 |
+$fi = finfo_open(FILEINFO_NONE); |
99 |
+var_dump(finfo_file($fi, $fd)); |
100 |
+finfo_close($fi); |
101 |
+ |
102 |
+file_put_contents($fd, $b); |
103 |
+file_put_contents($fm, $m); |
104 |
+$fi = finfo_open(FILEINFO_NONE, $fm); |
105 |
+var_dump(finfo_file($fi, $fd)); |
106 |
+finfo_close($fi); |
107 |
+?> |
108 |
+Done |
109 |
+--CLEAN-- |
110 |
+<?php |
111 |
+@unlink(__DIR__.'/cve-2014-1943.data'); |
112 |
+@unlink(__DIR__.'/cve-2014-1943.magic'); |
113 |
+?> |
114 |
+--EXPECTF-- |
115 |
+string(%d) "%s" |
116 |
+ |
117 |
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d |
118 |
+bool(false) |
119 |
+Done |