php-sapi/patches/170_php_18368630.patch

2660N/AFix for CVE-2014-2270
2660N/APatch:
2660N/Ahttp://git.php.net/?p=php-src.git;a=patch;h=a33759fd27
2660N/ACode:
2660N/Ahttp://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd27
2660N/AThis patch is for php 5.5 code but works well enough on php 5.3 code.
2660N/AVerified by hand that it patches the correct code.
2660N/ASlightly modified by hand to remove unnecessary parts that fail to patch.
2660N/A
2660N/A
2660N/A
2660N/AFrom a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001
2660N/AFrom: Remi Collet <remi@php.net>
2660N/ADate: Tue, 4 Mar 2014 20:32:52 +0100
2660N/ASubject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo
2660N/A
2660N/AUpstream fix:
2660N/Ahttps://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
2660N/A
2660N/ANotice, test changed, with upstream agreement:
2660N/A-define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o)))
2660N/A+define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >  ((n) - (o)))
2660N/A---
2660N/A ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++----------------
2660N/A 1 file changed, 18 insertions(+), 16 deletions(-)
2660N/A
2660N/Adiff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
2660N/Aindex 82a470a..21fea6b 100644
2660N/A--- a/ext/fileinfo/libmagic/softmagic.c
2660N/A+++ b/ext/fileinfo/libmagic/softmagic.c
2660N/A@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
2660N/A private void cvt_32(union VALUETYPE *, const struct magic *);
2660N/A private void cvt_64(union VALUETYPE *, const struct magic *);
2660N/A
2660N/A+#define OFFSET_OOB(n, o, i)    ((n) < (o) || (i) > ((n) - (o)))
2660N/A+
2660N/A /*
2660N/A  * softmagic - lookup one file in parsed, in-memory copy of database
2660N/A  * Passed the name and FILE * of one file to be typed.
2660N/A@@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A        }
2660N/A        switch (cvt_flip(m->in_type, flip)) {
2660N/A        case FILE_BYTE:
2660N/A-           if (nbytes < (offset + 1))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 1))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A                offset = ~offset;
2660N/A            break;
2660N/A        case FILE_BESHORT:
2660N/A-           if (nbytes < (offset + 2))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 2))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A                offset = ~offset;
2660N/A            break;
2660N/A        case FILE_LESHORT:
2660N/A-           if (nbytes < (offset + 2))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 2))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A                offset = ~offset;
2660N/A            break;
2660N/A        case FILE_SHORT:
2660N/A-           if (nbytes < (offset + 2))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 2))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A            break;
2660N/A        case FILE_BELONG:
2660N/A        case FILE_BEID3:
2660N/A-           if (nbytes < (offset + 4))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 4))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A            break;
2660N/A        case FILE_LELONG:
2660N/A        case FILE_LEID3:
2660N/A-           if (nbytes < (offset + 4))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 4))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A                offset = ~offset;
2660N/A            break;
2660N/A        case FILE_MELONG:
2660N/A-           if (nbytes < (offset + 4))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 4))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {
2660N/A@@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
2660N/A                offset = ~offset;
2660N/A            break;
2660N/A        case FILE_LONG:
2660N/A-           if (nbytes < (offset + 4))
2660N/A+           if (OFFSET_OOB(nbytes, offset, 4))
2660N/A                return 0;
2660N/A            if (off) {
2660N/A                switch (m->in_op & FILE_OPS_MASK) {