From 45396e0b548b5684022506133d06a721cd9cd6de Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Sep 2014 18:24:41 +0200 Subject: php55-php: import from rhscl 1.1 --- php-5.5.6-CVE-2014-2270.patch | 168 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 php-5.5.6-CVE-2014-2270.patch (limited to 'php-5.5.6-CVE-2014-2270.patch') diff --git a/php-5.5.6-CVE-2014-2270.patch b/php-5.5.6-CVE-2014-2270.patch new file mode 100644 index 0000000..52d9994 --- /dev/null +++ b/php-5.5.6-CVE-2014-2270.patch @@ -0,0 +1,168 @@ +From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 4 Mar 2014 20:32:52 +0100 +Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo + +Upstream fix: +https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801 + +Notice, test changed, with upstream agreement: +-define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o))) ++define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) +--- + ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 82a470a..21fea6b 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *); + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) ++ + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + } + switch (cvt_flip(m->in_type, flip)) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_BESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_SHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + case FILE_BELONG: + case FILE_BEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + case FILE_LELONG: + case FILE_LEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_MELONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_LONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1630,14 +1632,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) /* should always be true */ ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + break; + + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + break; + +@@ -1656,33 +1658,33 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + break; + + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: +- if (nbytes < (offset + 8)) ++ if (OFFSET_OOB(nbytes, offset, 8)) + return 0; + break; + + case FILE_STRING: + case FILE_PSTRING: + case FILE_SEARCH: +- if (nbytes < (offset + m->vallen)) ++ if (OFFSET_OOB(nbytes, offset, m->vallen)) + return 0; + break; + + case FILE_REGEX: +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + break; + + case FILE_INDIRECT: + if (offset == 0) + return 0; +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + sbuf = ms->o.buf; + soffset = ms->offset; +@@ -1716,7 +1718,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + return rv; + + case FILE_USE: +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + sbuf = m->value.s; + if (*sbuf == '^') { +-- +1.9.2 + -- cgit