diff options
| author | Remi Collet <remi@php.net> | 2014-02-18 13:54:33 +0100 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-02-18 08:35:27 -0800 |
| commit | fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3 (patch) | |
| tree | a3b6c48060939c5abd681421317c5fe002c9ea41 | |
| parent | cbf5581d8268d12f774485d7c26b15eed9013ef2 (diff) | |
| download | php-git-fdb9b6e5ec73d37b9734c9f7c50b3946ed85b5e3.tar.gz | |
Fixed Bug #66731 file: infinite recursion
Upstream commit (available in file-5.17)
https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70
| -rw-r--r-- | ext/fileinfo/libmagic/ascmagic.c | 2 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/file.h | 2 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/funcs.c | 2 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/softmagic.c | 8 | ||||
| -rw-r--r-- | ext/fileinfo/tests/cve-2014-1943.phpt | 39 |
5 files changed, 47 insertions, 6 deletions
diff --git a/ext/fileinfo/libmagic/ascmagic.c b/ext/fileinfo/libmagic/ascmagic.c index 209009764e..c0041df3b4 100644 --- a/ext/fileinfo/libmagic/ascmagic.c +++ b/ext/fileinfo/libmagic/ascmagic.c @@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf, == NULL) goto done; if ((rv = file_softmagic(ms, utf8_buf, - (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) + (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) rv = -1; } diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h index 19b6872b49..ab5082d753 100644 --- a/ext/fileinfo/libmagic/file.h +++ b/ext/fileinfo/libmagic/file.h @@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t, unichar **, size_t *, const char **, const char **, const char **); protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, - int, int); + size_t, int, int); protected int file_apprentice(struct magic_set *, const char *, int); protected int file_magicfind(struct magic_set *, const char *, struct mlist *); protected uint64_t file_signextend(struct magic_set *, struct magic *, diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c index 9c0d2bdb7c..011ca42757 100644 --- a/ext/fileinfo/libmagic/funcs.c +++ b/ext/fileinfo/libmagic/funcs.c @@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const /* try soft magic tests */ if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) - if ((m = file_softmagic(ms, ubuf, nb, BINTEST, + if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, looks_text)) != 0) { if ((ms->flags & MAGIC_DEBUG) != 0) (void)fprintf(stderr, "softmagic %d\n", m); diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index 0671fa99f9..7c5f628066 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *); /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ protected int file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, - int mode, int text) + size_t level, int mode, int text) { struct mlist *ml; int rv, printed_something = 0, need_separator = 0; for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next) if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode, - text, 0, 0, &printed_something, &need_separator, + text, 0, level, &printed_something, &need_separator, NULL)) != 0) return rv; @@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, break; case FILE_INDIRECT: + if (offset == 0) + return 0; if (nbytes < offset) return 0; sbuf = ms->o.buf; @@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, ms->o.buf = NULL; ms->offset = 0; rv = file_softmagic(ms, s + offset, nbytes - offset, - BINTEST, text); + recursion_level, BINTEST, text); if ((ms->flags & MAGIC_DEBUG) != 0) fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); rbuf = ms->o.buf; diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt new file mode 100644 index 0000000000..b2e9c17c3f --- /dev/null +++ b/ext/fileinfo/tests/cve-2014-1943.phpt @@ -0,0 +1,39 @@ +--TEST-- +Bug #66731: file: infinite recursion +--SKIPIF-- +<?php +if (!class_exists('finfo')) + die('skip no fileinfo extension'); +--FILE-- +<?php +$fd = __DIR__.'/cve-2014-1943.data'; +$fm = __DIR__.'/cve-2014-1943.magic'; + +$a = "\105\122\000\000\000\000\000"; +$b = str_repeat("\001", 250000); +$m = "0 byte x\n". + ">(1.b) indirect x\n"; + +file_put_contents($fd, $a); +$fi = finfo_open(FILEINFO_NONE); +var_dump(finfo_file($fi, $fd)); +finfo_close($fi); + +file_put_contents($fd, $b); +file_put_contents($fm, $m); +$fi = finfo_open(FILEINFO_NONE, $fm); +var_dump(finfo_file($fi, $fd)); +finfo_close($fi); +?> +Done +--CLEAN-- +<?php +@unlink(__DIR__.'/cve-2014-1943.data'); +@unlink(__DIR__.'/cve-2014-1943.magic'); +?> +--EXPECTF-- +string(%d) "%s" + +Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d +bool(false) +Done |