1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
From 89f864c547014646e71862df3664e3ff33d7143d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Tue, 18 Feb 2014 13:54:33 +0100
Subject: [PATCH] Fixed Bug #66731 file: infinite recursion
Upstream commit (available in file-5.17)
https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70
---
ext/fileinfo/libmagic/ascmagic.c | 2 +-
ext/fileinfo/libmagic/file.h | 2 +-
ext/fileinfo/libmagic/funcs.c | 2 +-
ext/fileinfo/libmagic/softmagic.c | 8 ++++---
ext/fileinfo/tests/cve-2014-1943.phpt | 39 +++++++++++++++++++++++++++++++++++
5 files changed, 47 insertions(+), 6 deletions(-)
create mode 100644 ext/fileinfo/tests/cve-2014-1943.phpt
diff --git a/ext/fileinfo/libmagic/ascmagic.c b/ext/fileinfo/libmagic/ascmagic.c
index 2090097..c0041df 100644
--- a/ext/fileinfo/libmagic/ascmagic.c
+++ b/ext/fileinfo/libmagic/ascmagic.c
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
== NULL)
goto done;
if ((rv = file_softmagic(ms, utf8_buf,
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
rv = -1;
}
diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h
index 19b6872..ab5082d 100644
--- a/ext/fileinfo/libmagic/file.h
+++ b/ext/fileinfo/libmagic/file.h
@@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
unichar **, size_t *, const char **, const char **, const char **);
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
- int, int);
+ size_t, int, int);
protected int file_apprentice(struct magic_set *, const char *, int);
protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
protected uint64_t file_signextend(struct magic_set *, struct magic *,
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
index 9c0d2bd..011ca42 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const
/* try soft magic tests */
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
looks_text)) != 0) {
if ((ms->flags & MAGIC_DEBUG) != 0)
(void)fprintf(stderr, "softmagic %d\n", m);
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 0671fa9..7c5f628 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
protected int
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
- int mode, int text)
+ size_t level, int mode, int text)
{
struct mlist *ml;
int rv, printed_something = 0, need_separator = 0;
for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
- text, 0, 0, &printed_something, &need_separator,
+ text, 0, level, &printed_something, &need_separator,
NULL)) != 0)
return rv;
@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
break;
case FILE_INDIRECT:
+ if (offset == 0)
+ return 0;
if (nbytes < offset)
return 0;
sbuf = ms->o.buf;
@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
ms->o.buf = NULL;
ms->offset = 0;
rv = file_softmagic(ms, s + offset, nbytes - offset,
- BINTEST, text);
+ recursion_level, BINTEST, text);
if ((ms->flags & MAGIC_DEBUG) != 0)
fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
rbuf = ms->o.buf;
diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
new file mode 100644
index 0000000..b2e9c17
--- /dev/null
+++ b/ext/fileinfo/tests/cve-2014-1943.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #66731: file: infinite recursion
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+ die('skip no fileinfo extension');
+--FILE--
+<?php
+$fd = __DIR__.'/cve-2014-1943.data';
+$fm = __DIR__.'/cve-2014-1943.magic';
+
+$a = "\105\122\000\000\000\000\000";
+$b = str_repeat("\001", 250000);
+$m = "0 byte x\n".
+ ">(1.b) indirect x\n";
+
+file_put_contents($fd, $a);
+$fi = finfo_open(FILEINFO_NONE);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+
+file_put_contents($fd, $b);
+file_put_contents($fm, $m);
+$fi = finfo_open(FILEINFO_NONE, $fm);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+?>
+Done
+--CLEAN--
+<?php
+@unlink(__DIR__.'/cve-2014-1943.data');
+@unlink(__DIR__.'/cve-2014-1943.magic');
+?>
+--EXPECTF--
+string(%d) "%s"
+
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
+bool(false)
+Done
--
1.8.4.3
From bd8cd98d6d70ac50dc1de350970ed9ea479895db Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Tue, 18 Feb 2014 13:57:53 +0100
Subject: [PATCH] Set fileinfo version to 1.0.5 (as in php 5.4, no diff)
---
ext/fileinfo/php_fileinfo.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/fileinfo/php_fileinfo.h b/ext/fileinfo/php_fileinfo.h
index d8dec12..354ec7b 100644
--- a/ext/fileinfo/php_fileinfo.h
+++ b/ext/fileinfo/php_fileinfo.h
@@ -24,7 +24,7 @@
extern zend_module_entry fileinfo_module_entry;
#define phpext_fileinfo_ptr &fileinfo_module_entry
-#define PHP_FILEINFO_VERSION "1.0.5-dev"
+#define PHP_FILEINFO_VERSION "1.0.5"
#ifdef PHP_WIN32
#define PHP_FILEINFO_API __declspec(dllexport)
--
1.8.4.3
From 10eb0070700382f966bf260e44135e1f724a15d2 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Thu, 20 Feb 2014 18:53:53 +0100
Subject: [PATCH] fixed leak introduced after CVE/upgrade
---
ext/fileinfo/libmagic/softmagic.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 7c5f628..33970e5 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -1701,6 +1701,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
return -1;
if (file_printf(ms, "%s", rbuf) == -1)
return -1;
+ }
+ if (rbuf) {
efree(rbuf);
}
return rv;
--
1.8.4.3
|