From 89f864c547014646e71862df3664e3ff33d7143d Mon Sep 17 00:00:00 2001

From: Remi Collet <remi@php.net>

Date: Tue, 18 Feb 2014 13:54:33 +0100

Subject: [PATCH] Fixed Bug #66731 file: infinite recursion

Upstream commit (available in file-5.17)

https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f

https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70

---

 ext/fileinfo/libmagic/ascmagic.c      |  2 +-

 ext/fileinfo/libmagic/file.h          |  2 +-

 ext/fileinfo/libmagic/funcs.c         |  2 +-

 ext/fileinfo/libmagic/softmagic.c     |  8 ++++---

 ext/fileinfo/tests/cve-2014-1943.phpt | 39 +++++++++++++++++++++++++++++++++++

 5 files changed, 47 insertions(+), 6 deletions(-)

 create mode 100644 ext/fileinfo/tests/cve-2014-1943.phpt

diff --git a/ext/fileinfo/libmagic/ascmagic.c b/ext/fileinfo/libmagic/ascmagic.c

index 2090097..c0041df 100644

--- a/ext/fileinfo/libmagic/ascmagic.c

+++ b/ext/fileinfo/libmagic/ascmagic.c

@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,

 		    == NULL)

 			goto done;

 		if ((rv = file_softmagic(ms, utf8_buf,

-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)

+		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)

 			rv = -1;

 	}

diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h

index 19b6872..ab5082d 100644

--- a/ext/fileinfo/libmagic/file.h

+++ b/ext/fileinfo/libmagic/file.h

@@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,

     unichar **, size_t *, const char **, const char **, const char **);

 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);

 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,

-    int, int);

+    size_t, int, int);

 protected int file_apprentice(struct magic_set *, const char *, int);

 protected int file_magicfind(struct magic_set *, const char *, struct mlist *);

 protected uint64_t file_signextend(struct magic_set *, struct magic *,

diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c

index 9c0d2bd..011ca42 100644

--- a/ext/fileinfo/libmagic/funcs.c

+++ b/ext/fileinfo/libmagic/funcs.c

@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const

 	/* try soft magic tests */

 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)

-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,

+		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,

 		    looks_text)) != 0) {

 			if ((ms->flags & MAGIC_DEBUG) != 0)

 				(void)fprintf(stderr, "softmagic %d\n", m);

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c

index 0671fa9..7c5f628 100644

--- a/ext/fileinfo/libmagic/softmagic.c

+++ b/ext/fileinfo/libmagic/softmagic.c

@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *);

 /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */

 protected int

 file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,

-    int mode, int text)

+    size_t level, int mode, int text)

 {

 	struct mlist *ml;

 	int rv, printed_something = 0, need_separator = 0;

 	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)

 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,

-		    text, 0, 0, &printed_something, &need_separator,

+		    text, 0, level, &printed_something, &need_separator,

 		    NULL)) != 0)

 			return rv;

@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 		break;

 	case FILE_INDIRECT:

+		if (offset == 0)

+			return 0;

 		if (nbytes < offset)

 			return 0;

 		sbuf = ms->o.buf;

@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 		ms->o.buf = NULL;

 		ms->offset = 0;

 		rv = file_softmagic(ms, s + offset, nbytes - offset,

-		    BINTEST, text);

+		    recursion_level, BINTEST, text);

 		if ((ms->flags & MAGIC_DEBUG) != 0)

 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);

 		rbuf = ms->o.buf;

diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt

new file mode 100644

index 0000000..b2e9c17

--- /dev/null

+++ b/ext/fileinfo/tests/cve-2014-1943.phpt

@@ -0,0 +1,39 @@

+--TEST--

+Bug #66731: file: infinite recursion

+--SKIPIF--

+

+if (!class_exists('finfo'))

+	die('skip no fileinfo extension');

+--FILE--

+

+$fd = __DIR__.'/cve-2014-1943.data';

+$fm = __DIR__.'/cve-2014-1943.magic';

+

+$a = "\105\122\000\000\000\000\000";

+$b = str_repeat("\001", 250000);

+$m =  "0           byte        x\n".

+      ">(1.b)      indirect    x\n";

+

+file_put_contents($fd, $a);

+$fi = finfo_open(FILEINFO_NONE);

+var_dump(finfo_file($fi, $fd));

+finfo_close($fi);

+

+file_put_contents($fd, $b);

+file_put_contents($fm, $m);

+$fi = finfo_open(FILEINFO_NONE, $fm);

+var_dump(finfo_file($fi, $fd));

+finfo_close($fi);

+?>

+Done

+--CLEAN--

+

+@unlink(__DIR__.'/cve-2014-1943.data');

+@unlink(__DIR__.'/cve-2014-1943.magic');

+?>

+--EXPECTF--

+string(%d) "%s"

+

+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d

+bool(false)

+Done

-- 

1.8.4.3

From 10eb0070700382f966bf260e44135e1f724a15d2 Mon Sep 17 00:00:00 2001

From: Anatol Belski <ab@php.net>

Date: Thu, 20 Feb 2014 18:53:53 +0100

Subject: [PATCH] fixed leak introduced after CVE/upgrade

---

 ext/fileinfo/libmagic/softmagic.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c

index 7c5f628..33970e5 100644

--- a/ext/fileinfo/libmagic/softmagic.c

+++ b/ext/fileinfo/libmagic/softmagic.c

@@ -1701,6 +1701,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 			return -1;

 			if (file_printf(ms, "%s", rbuf) == -1)

 				return -1;

+		}

+		if (rbuf) {

 			efree(rbuf);

 		}

 		return rv;

-- 

1.8.4.3

From 731013ee8e9cf405101d4fd584214fadb1c1d390 Mon Sep 17 00:00:00 2001

From: Remi Collet <remi@php.net>

Date: Tue, 4 Mar 2014 13:41:37 +0100

Subject: [PATCH] Improves fix for memory leak, keep in sync with upstream.

Previous fix:

http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb0070700382f966bf260e44135e1f724a15d2

Upstream fix:

https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9

---

 ext/fileinfo/libmagic/softmagic.c | 16 ++++++++++++----

 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c

index 33970e5..82a470a 100644

--- a/ext/fileinfo/libmagic/softmagic.c

+++ b/ext/fileinfo/libmagic/softmagic.c

@@ -1696,11 +1696,19 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 		ms->o.buf = sbuf;

 		ms->offset = soffset;

 		if (rv == 1) {

-	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&

-			    file_printf(ms, m->desc, offset) == -1)

-			return -1;

-			if (file_printf(ms, "%s", rbuf) == -1)

+			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&

+			    file_printf(ms, m->desc, offset) == -1) {

+				if (rbuf) {

+					efree(rbuf);

+				}

+				return -1;

+			}

+			if (file_printf(ms, "%s", rbuf) == -1) {

+				if (rbuf) {

+					efree(rbuf);

+				}

 				return -1;

+			}

 		}

 		if (rbuf) {

 			efree(rbuf);

-- 

1.8.4.3