php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #66731
Patch cve-2014-1943.patch revision 2014-02-18 12:47 UTC by remi@php.net
revision 2014-02-18 08:34 UTC by remi

Patch cve-2014-1943.patch for Filesystem function related Bug #66731

Patch version 2014-02-18 12:47 UTC

Return to Bug #66731 | Download this patch
This patch renders other patches obsolete

Obsolete patches:

Patch Revisions:

Developer: remi@php.net

diff -up ext/fileinfo/libmagic/ascmagic.c.old ext/fileinfo/libmagic/ascmagic.c
--- ext/fileinfo/libmagic/ascmagic.c.old	2014-02-18 09:21:04.740701234 +0100
+++ ext/fileinfo/libmagic/ascmagic.c	2014-02-18 09:21:20.103753917 +0100
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic
 		    == NULL)
 			goto done;
 		if ((rv = file_softmagic(ms, utf8_buf,
-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
 			rv = -1;
 	}
 
diff -up ext/fileinfo/libmagic/file.h.old ext/fileinfo/libmagic/file.h
--- ext/fileinfo/libmagic/file.h.old	2014-02-18 09:21:35.678807330 +0100
+++ ext/fileinfo/libmagic/file.h	2014-02-18 09:21:52.100863647 +0100
@@ -437,7 +437,7 @@ protected int file_encoding(struct magic
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    int, int);
+    size_t, int, int);
 protected int file_apprentice(struct magic_set *, const char *, int);
 protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
 protected uint64_t file_signextend(struct magic_set *, struct magic *,
diff -up ext/fileinfo/libmagic/funcs.c.old ext/fileinfo/libmagic/funcs.c
--- ext/fileinfo/libmagic/funcs.c.old	2014-02-18 09:22:06.672913621 +0100
+++ ext/fileinfo/libmagic/funcs.c	2014-02-18 09:22:16.717948072 +0100
@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st
 
 	/* try soft magic tests */
 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
 		    looks_text)) != 0) {
 			if ((ms->flags & MAGIC_DEBUG) != 0)
 				(void)fprintf(stderr, "softmagic %d\n", m);
diff -up ext/fileinfo/libmagic/softmagic.c.old ext/fileinfo/libmagic/softmagic.c
--- ext/fileinfo/libmagic/softmagic.c.old	2014-02-18 08:38:32.971966346 +0100
+++ ext/fileinfo/libmagic/softmagic.c	2014-02-18 09:23:48.771255870 +0100
@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, c
 /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
 protected int
 file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
-    int mode, int text)
+    size_t level, int mode, int text)
 {
 	struct mlist *ml;
 	int rv, printed_something = 0, need_separator = 0;
 	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
-		    text, 0, 0, &printed_something, &need_separator,
+		    text, 0, level, &printed_something, &need_separator,
 		    NULL)) != 0)
 			return rv;
 
@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigne
 		break;
 
 	case FILE_INDIRECT:
+		if (offset == 0)
+			return 0;
 		if (nbytes < offset)
 			return 0;
 		sbuf = ms->o.buf;
@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigne
 		ms->o.buf = NULL;
 		ms->offset = 0;
 		rv = file_softmagic(ms, s + offset, nbytes - offset,
-		    BINTEST, text);
+		    recursion_level, BINTEST, text);
 		if ((ms->flags & MAGIC_DEBUG) != 0)
 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
 		rbuf = ms->o.buf;
diff -up ext/fileinfo/tests/cve-2014-1943.phpt.old ext/fileinfo/tests/cve-2014-1943.phpt
--- ext/fileinfo/tests/cve-2014-1943.phpt.old	2014-02-18 09:28:53.874268355 +0100
+++ ext/fileinfo/tests/cve-2014-1943.phpt	2014-02-18 09:30:12.459529972 +0100
@@ -0,0 +1,39 @@
+--TEST--
+Bug #66731: file: infinite recursion
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+	die('skip no fileinfo extension');
+--FILE--
+<?php
+$fd = __DIR__.'/cve-2014-1943.data';
+$fm = __DIR__.'/cve-2014-1943.magic';
+
+$a = "\105\122\000\000\000\000\000";
+$b = str_repeat("\001", 250000);
+$m =  "0           byte        x\n".
+      ">(1.b)      indirect    x\n";
+
+file_put_contents($fd, $a);
+$fi = finfo_open(FILEINFO_NONE);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+
+file_put_contents($fd, $b);
+file_put_contents($fm, $m);
+$fi = finfo_open(FILEINFO_NONE, $fm);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+?>
+Done
+--CLEAN--
+<?php
+@unlink(__DIR__.'/cve-2014-1943.data');
+@unlink(__DIR__.'/cve-2014-1943.magic');
+?>
+--EXPECTF--
+string(%d) "%s"
+
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
+bool(false)
+Done
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Apr 27 15:02:29 2015 UTC