From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001

From: Remi Collet <remi@php.net>

Date: Tue, 4 Mar 2014 20:32:52 +0100

Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo

Upstream fix:

https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801

Notice, test changed, with upstream agreement:

-define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >= ((n) - (o)))

+define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >  ((n) - (o)))

---

 ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++----------------

 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c

index 82a470a..21fea6b 100644

--- a/ext/fileinfo/libmagic/softmagic.c

+++ b/ext/fileinfo/libmagic/softmagic.c

@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *);

 private void cvt_32(union VALUETYPE *, const struct magic *);

 private void cvt_64(union VALUETYPE *, const struct magic *);

+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))

+

 /*

  * softmagic - lookup one file in parsed, in-memory copy of database

  * Passed the name and FILE * of one file to be typed.

@@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 		}

 		switch (cvt_flip(m->in_type, flip)) {

 		case FILE_BYTE:

-			if (nbytes < (offset + 1))

+			if (OFFSET_OOB(nbytes, offset, 1))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 				offset = ~offset;

 			break;

 		case FILE_BESHORT:

-			if (nbytes < (offset + 2))

+			if (OFFSET_OOB(nbytes, offset, 2))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 				offset = ~offset;

 			break;

 		case FILE_LESHORT:

-			if (nbytes < (offset + 2))

+			if (OFFSET_OOB(nbytes, offset, 2))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 				offset = ~offset;

 			break;

 		case FILE_SHORT:

-			if (nbytes < (offset + 2))

+			if (OFFSET_OOB(nbytes, offset, 2))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 			break;

 		case FILE_BELONG:

 		case FILE_BEID3:

-			if (nbytes < (offset + 4))

+			if (OFFSET_OOB(nbytes, offset, 4))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 			break;

 		case FILE_LELONG:

 		case FILE_LEID3:

-			if (nbytes < (offset + 4))

+			if (OFFSET_OOB(nbytes, offset, 4))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 				offset = ~offset;

 			break;

 		case FILE_MELONG:

-			if (nbytes < (offset + 4))

+			if (OFFSET_OOB(nbytes, offset, 4))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 				offset = ~offset;

 			break;

 		case FILE_LONG:

-			if (nbytes < (offset + 4))

+			if (OFFSET_OOB(nbytes, offset, 4))

 				return 0;

 			if (off) {

 				switch (m->in_op & FILE_OPS_MASK) {

@@ -1630,14 +1632,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 	/* Verify we have enough data to match magic type */

 	switch (m->type) {

 	case FILE_BYTE:

-		if (nbytes < (offset + 1)) /* should alway be true */

+		if (OFFSET_OOB(nbytes, offset, 1))

 			return 0;

 		break;

 	case FILE_SHORT:

 	case FILE_BESHORT:

 	case FILE_LESHORT:

-		if (nbytes < (offset + 2))

+		if (OFFSET_OOB(nbytes, offset, 2))

 			return 0;

 		break;

@@ -1656,33 +1658,33 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 	case FILE_FLOAT:

 	case FILE_BEFLOAT:

 	case FILE_LEFLOAT:

-		if (nbytes < (offset + 4))

+		if (OFFSET_OOB(nbytes, offset, 4))

 			return 0;

 		break;

 	case FILE_DOUBLE:

 	case FILE_BEDOUBLE:

 	case FILE_LEDOUBLE:

-		if (nbytes < (offset + 8))

+		if (OFFSET_OOB(nbytes, offset, 8))

 			return 0;

 		break;

 	case FILE_STRING:

 	case FILE_PSTRING:

 	case FILE_SEARCH:

-		if (nbytes < (offset + m->vallen))

+		if (OFFSET_OOB(nbytes, offset, m->vallen))

 			return 0;

 		break;

 	case FILE_REGEX:

-		if (nbytes < offset)

+		if (OFFSET_OOB(nbytes, offset, 0))

 			return 0;

 		break;

 	case FILE_INDIRECT:

 		if (offset == 0)

 			return 0;

-		if (nbytes < offset)

+		if (OFFSET_OOB(nbytes, offset, 0))

 			return 0;

 		sbuf = ms->o.buf;

 		soffset = ms->offset;

@@ -1716,7 +1718,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,

 		return rv;

 	case FILE_USE:

-		if (nbytes < offset)

+		if (OFFSET_OOB(nbytes, offset, 0))

 			return 0;

 		sbuf = m->value.s;

 		if (*sbuf == '^') {

-- 

1.8.4.3