File: CVE-2014-1943.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (136 lines) | stat: -rw-r--r-- 4,936 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
Upstream-Author: Christos Zoulas <christos@zoulas.com>
Description:
 prevent infinite recursion.
 count indirect recursion as recursion.

Upstream commit IDs:
    3c081560c23f20b2985c285338b52c7aae9fdb0f
    cc9e74dfeca5265ad725acc926ef0b8d2a18ee70

Backport for 5.11: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

--- php5.orig/ext/fileinfo/libmagic/softmagic.c
+++ php5/ext/fileinfo/libmagic/softmagic.c
@@ -48,9 +48,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1
 
 
 private int match(struct magic_set *, struct magic *, uint32_t,
-    const unsigned char *, size_t, int);
+    const unsigned char *, size_t, int, int);
 private int mget(struct magic_set *, const unsigned char *,
-    struct magic *, size_t, unsigned int);
+    struct magic *, size_t, unsigned int, int);
 private int magiccheck(struct magic_set *, struct magic *);
 private int32_t mprint(struct magic_set *, struct magic *);
 private int32_t moffset(struct magic_set *, struct magic *);
@@ -71,12 +71,12 @@ private void cvt_64(union VALUETYPE *, c
  */
 /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
 protected int
-file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode)
+file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, size_t level, int mode)
 {
 	struct mlist *ml;
 	int rv;
 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
-		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
+		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
 			return rv;
 
 	return 0;
@@ -111,7 +111,7 @@ file_softmagic(struct magic_set *ms, con
  */
 private int
 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
-    const unsigned char *s, size_t nbytes, int mode)
+    const unsigned char *s, size_t nbytes, int mode, int recursion_level)
 {
 	uint32_t magindex = 0;
 	unsigned int cont_level = 0;
@@ -140,7 +140,7 @@ match(struct magic_set *ms, struct magic
 		ms->line = m->lineno;
 
 		/* if main entry matches, print it... */
-		switch (mget(ms, s, m, nbytes, cont_level)) {
+		switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
 		case -1:
 			return -1;
 		case 0:
@@ -222,7 +222,7 @@ match(struct magic_set *ms, struct magic
 					continue;
 			}
 #endif
-			switch (mget(ms, s, m, nbytes, cont_level)) {
+			switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
 			case -1:
 				return -1;
 			case 0:
@@ -1001,12 +1001,17 @@ mcopy(struct magic_set *ms, union VALUET
 
 private int
 mget(struct magic_set *ms, const unsigned char *s,
-    struct magic *m, size_t nbytes, unsigned int cont_level)
+    struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
 {
 	uint32_t offset = ms->offset;
 	uint32_t count = m->str_range;
 	union VALUETYPE *p = &ms->ms_value;
 
+	if (recursion_level >= 20) {
+		file_error(ms, 0, "recursion nesting exceeded");
+		return -1;
+	}
+
 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
 		return -1;
 
@@ -1554,13 +1559,15 @@ mget(struct magic_set *ms, const unsigne
 		break;
 
 	case FILE_INDIRECT:
+		if (offset == 0)
+			return 0;
 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 		    file_printf(ms, m->desc) == -1)
 			return -1;
 		if (nbytes < offset)
 			return 0;
 		return file_softmagic(ms, s + offset, nbytes - offset,
-		    BINTEST);
+		    recursion_level, BINTEST);
 
 	case FILE_DEFAULT:	/* nothing to check */
 	default:
--- php5.orig/ext/fileinfo/libmagic/ascmagic.c
+++ php5/ext/fileinfo/libmagic/ascmagic.c
@@ -148,7 +148,7 @@ file_ascmagic_with_encoding(struct magic
 
 	if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
 		goto done;
-	if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
+	if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf), 0,
 	    TEXTTEST)) != 0)
 		goto done;
 	else
--- php5.orig/ext/fileinfo/libmagic/file.h
+++ php5/ext/fileinfo/libmagic/file.h
@@ -370,7 +370,7 @@ protected int file_encoding(struct magic
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    int);
+    size_t, int);
 protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 protected uint64_t file_signextend(struct magic_set *, struct magic *,
     uint64_t);
--- php5.orig/ext/fileinfo/libmagic/funcs.c
+++ php5/ext/fileinfo/libmagic/funcs.c
@@ -231,7 +231,7 @@ file_buffer(struct magic_set *ms, php_st
 
 	/* try soft magic tests */
 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
+		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
 			if ((ms->flags & MAGIC_DEBUG) != 0)
 				(void)fprintf(stderr, "softmagic %d\n", m);
 #ifdef BUILTIN_ELF