php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch cve-2014-1943.patch for Filesystem function related Bug #66731Patch version 2014-02-18 08:34 UTC Return to Bug #66731 | Download this patchThis patch is obsolete Obsoleted by patches: Patch Revisions:Developer: remidiff -up ext/fileinfo/libmagic/ascmagic.c.old ext/fileinfo/libmagic/ascmagic.c --- ext/fileinfo/libmagic/ascmagic.c.old 2014-02-18 09:21:04.740701234 +0100 +++ ext/fileinfo/libmagic/ascmagic.c 2014-02-18 09:21:20.103753917 +0100 @@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic == NULL) goto done; if ((rv = file_softmagic(ms, utf8_buf, - (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) + (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) rv = -1; } diff -up ext/fileinfo/libmagic/file.h.old ext/fileinfo/libmagic/file.h --- ext/fileinfo/libmagic/file.h.old 2014-02-18 09:21:35.678807330 +0100 +++ ext/fileinfo/libmagic/file.h 2014-02-18 09:21:52.100863647 +0100 @@ -437,7 +437,7 @@ protected int file_encoding(struct magic unichar **, size_t *, const char **, const char **, const char **); protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, - int, int); + size_t, int, int); protected int file_apprentice(struct magic_set *, const char *, int); protected int file_magicfind(struct magic_set *, const char *, struct mlist *); protected uint64_t file_signextend(struct magic_set *, struct magic *, diff -up ext/fileinfo/libmagic/funcs.c.old ext/fileinfo/libmagic/funcs.c --- ext/fileinfo/libmagic/funcs.c.old 2014-02-18 09:22:06.672913621 +0100 +++ ext/fileinfo/libmagic/funcs.c 2014-02-18 09:22:16.717948072 +0100 @@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_st /* try soft magic tests */ if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) - if ((m = file_softmagic(ms, ubuf, nb, BINTEST, + if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, looks_text)) != 0) { if ((ms->flags & MAGIC_DEBUG) != 0) (void)fprintf(stderr, "softmagic %d\n", m); diff -up ext/fileinfo/libmagic/softmagic.c.old ext/fileinfo/libmagic/softmagic.c --- ext/fileinfo/libmagic/softmagic.c.old 2014-02-18 08:38:32.971966346 +0100 +++ ext/fileinfo/libmagic/softmagic.c 2014-02-18 09:23:48.771255870 +0100 @@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, c /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ protected int file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, - int mode, int text) + size_t level, int mode, int text) { struct mlist *ml; int rv, printed_something = 0, need_separator = 0; for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next) if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode, - text, 0, 0, &printed_something, &need_separator, + text, 0, level, &printed_something, &need_separator, NULL)) != 0) return rv; @@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigne break; case FILE_INDIRECT: + if (offset == 0) + return 0; if (nbytes < offset) return 0; sbuf = ms->o.buf; @@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigne ms->o.buf = NULL; ms->offset = 0; rv = file_softmagic(ms, s + offset, nbytes - offset, - BINTEST, text); + recursion_level, BINTEST, text); if ((ms->flags & MAGIC_DEBUG) != 0) fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); rbuf = ms->o.buf; diff -up ext/fileinfo/tests/cve-2014-1943.phpt.old ext/fileinfo/tests/cve-2014-1943.phpt --- ext/fileinfo/tests/cve-2014-1943.phpt.old 2014-02-18 09:28:53.874268355 +0100 +++ ext/fileinfo/tests/cve-2014-1943.phpt 2014-02-18 09:30:12.459529972 +0100 @@ -0,0 +1,39 @@ +--TEST-- +Bug #61173: Unable to detect error from finfo constructor +--SKIPIF-- +<?php +if (!class_exists('finfo')) + die('skip no fileinfo extension'); +--FILE-- +<?php +$fd = __DIR__.'/cve-2014-1943.data'; +$fm = __DIR__.'/cve-2014-1943.magic'; + +$a = "\105\122\000\000\000\000\000"; +$b = str_repeat("\001", 25000); +$m = "0 byte x\n". + ">(1.b) indirect x\n"; + +file_put_contents($fd, $a); +$fi = finfo_open(FILEINFO_NONE); +var_dump(finfo_file($fi, $fd)); +finfo_close($fi); + +file_put_contents($fd, $b); +file_put_contents($fm, $m); +$fi = finfo_open(FILEINFO_NONE, $fm); +var_dump(finfo_file($fi, $fd)); +finfo_close($fi); +?> +Done +--CLEAN-- +<?php +@unlink(__DIR__.'/cve-2014-1943.data'); +@unlink(__DIR__.'/cve-2014-1943.magic'); +?> +--EXPECTF-- +string(%d) "%s" + +Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d +bool(false) +Done |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Thu Nov 21 20:01:29 2024 UTC |