php/sme8/php-5.3.3-CVE-2014-1943.patch

diff --git a/src/ascmagic.c b/src/ascmagic.c
index 9236fb4..5a531ae 100644
--- a/ext/fileinfo/libmagic/ascmagic.c
+++ b/ext/fileinfo/libmagic/ascmagic.c
@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
        if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
                goto done;
        if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
-           TEXTTEST)) != 0)
+           0, TEXTTEST)) != 0)
                goto done;
        else
                rv = -1;
diff --git a/src/file.h b/src/file.h
index c07f2d4..2a6cf02 100644
--- a/ext/fileinfo/libmagic/file.h
+++ b/ext/fileinfo/libmagic/file.h
@@ -373,8 +373,8 @@ protected int file_ascmagic_with_encoding(struct magic_set *,
 protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
-protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    int);
+protected int file_softmagic(struct magic_set *, const unsigned char *,  size_t,
+    size_t, int);
 protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 protected uint64_t file_signextend(struct magic_set *, struct magic *,
     uint64_t);
diff --git a/src/funcs.c b/src/funcs.c
index 2397417..11d257f 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -227,7 +227,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname, const void *buf,
 
        /* try soft magic tests */
        if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-               if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
+               if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
                        if ((ms->flags & MAGIC_DEBUG) != 0)
                                (void)fprintf(stderr, "softmagic %d\n", m);
 #ifdef BUILTIN_ELF
diff --git a/src/softmagic.c b/src/softmagic.c
index 58a1cf7..107876c 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -70,9 +70,9 @@ file_pstring_length_size(const struct magic *m)
 
 
 private int match(struct magic_set *, struct magic *, uint32_t,
-    const unsigned char *, size_t, int);
+    const unsigned char *, size_t, int, int);
 private int mget(struct magic_set *, const unsigned char *,
-    struct magic *, size_t, unsigned int);
+    struct magic *, size_t, unsigned int, int);
 private int magiccheck(struct magic_set *, struct magic *);
 private int32_t mprint(struct magic_set *, struct magic *);
 private int32_t moffset(struct magic_set *, struct magic *);
@@ -94,12 +94,12 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
  */
 /*ARGSUSED1*/          /* nbytes passed for regularity, maybe need later */
 protected int
-file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode)
+file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, size_t level, int mode)
 {
        struct mlist *ml;
        int rv;
        for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
-               if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
+               if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
                        return rv;
 
        return 0;
@@ -134,7 +134,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, in
  */
 private int
 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
-    const unsigned char *s, size_t nbytes, int mode)
+    const unsigned char *s, size_t nbytes, int mode, int recursion_level)
 {
        uint32_t magindex = 0;
        unsigned int cont_level = 0;
@@ -163,7 +163,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
                ms->line = m->lineno;
 
                /* if main entry matches, print it... */
-               switch (mget(ms, s, m, nbytes, cont_level)) {
+               switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
                case -1:
                        return -1;
                case 0:
@@ -246,7 +246,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
                                        continue;
                        }
 #endif
-                       switch (mget(ms, s, m, nbytes, cont_level)) {
+                       switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
                        case -1:
                                return -1;
                        case 0:
@@ -1062,13 +1062,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 
 private int
 mget(struct magic_set *ms, const unsigned char *s,
-    struct magic *m, size_t nbytes, unsigned int cont_level)
+    struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
 {
        uint32_t offset = ms->offset;
        uint32_t count = m->str_range;
        uint32_t lhs;
        union VALUETYPE *p = &ms->ms_value;
 
+       if (recursion_level >= 20) {
+               file_error(ms, 0, "recursion nesting exceeded");
+               return -1;
+       }
+
        if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
                return -1;
 
@@ -1486,17 +1491,19 @@ mget(struct magic_set *ms, const unsigned char *s,
                break;
 
        case FILE_REGEX:
-               if (nbytes < offset)
+               if (nbytes < offset)
                        return 0;
                break;
 
        case FILE_INDIRECT:
+               if (offset == 0)
+                       return 0;
                if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
                    file_printf(ms, m->desc) == -1)
                        return -1;
-               if (nbytes < offset)
+               if (nbytes < offset)
                        return 0;
-               return file_softmagic(ms, s + offset, nbytes - offset,
+               return file_softmagic(ms, s + offset, nbytes - offset, recursion_level,
                    BINTEST);
 
        case FILE_DEFAULT:      /* nothing to check */
diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
new file mode 100644
index 0000000..b2e9c17
--- /dev/null
+++ b/ext/fileinfo/tests/cve-2014-1943.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #66731: file: infinite recursion
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+       die('skip no fileinfo extension');
+--FILE--
+<?php
+$fd = __DIR__.'/cve-2014-1943.data';
+$fm = __DIR__.'/cve-2014-1943.magic';
+
+$a = "\105\122\000\000\000\000\000";
+$b = str_repeat("\001", 250000);
+$m =  "0           byte        x\n".
+      ">(1.b)      indirect    x\n";
+
+file_put_contents($fd, $a);
+$fi = finfo_open(FILEINFO_NONE);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+
+file_put_contents($fd, $b);
+file_put_contents($fm, $m);
+$fi = finfo_open(FILEINFO_NONE, $fm);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+?>
+Done
+--CLEAN--
+<?php
+@unlink(__DIR__.'/cve-2014-1943.data');
+@unlink(__DIR__.'/cve-2014-1943.magic');
+?>
+--EXPECTF--
+string(%d) "%s"
+
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
+bool(false)
+Done
1	vip-ire	1.1	diff --git a/src/ascmagic.c b/src/ascmagic.c
2			index 9236fb4..5a531ae 100644
3			--- a/ext/fileinfo/libmagic/ascmagic.c
4			+++ b/ext/fileinfo/libmagic/ascmagic.c
5			@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set ms, const unsigned char buf,
6			if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
7			goto done;
8			if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
9			- TEXTTEST)) != 0)
10			+ 0, TEXTTEST)) != 0)
11			goto done;
12			else
13			rv = -1;
14			diff --git a/src/file.h b/src/file.h
15			index c07f2d4..2a6cf02 100644
16			--- a/ext/fileinfo/libmagic/file.h
17			+++ b/ext/fileinfo/libmagic/file.h
18			@@ -373,8 +373,8 @@ protected int file_ascmagic_with_encoding(struct magic_set *,
19			protected int file_encoding(struct magic_set , const unsigned char , size_t,
20			unichar *, size_t , const char , const char , const char **);
21			protected int file_is_tar(struct magic_set , const unsigned char , size_t);
22			-protected int file_softmagic(struct magic_set , const unsigned char , size_t,
23			- int);
24			+protected int file_softmagic(struct magic_set , const unsigned char , size_t,
25			+ size_t, int);
26			protected struct mlist file_apprentice(struct magic_set , const char *, int);
27			protected uint64_t file_signextend(struct magic_set , struct magic ,
28			uint64_t);
29			diff --git a/src/funcs.c b/src/funcs.c
30			index 2397417..11d257f 100644
31			--- a/ext/fileinfo/libmagic/funcs.c
32			+++ b/ext/fileinfo/libmagic/funcs.c
33			@@ -227,7 +227,7 @@ file_buffer(struct magic_set ms, int fd, const char inname, const void *buf,
34
35			/* try soft magic tests */
36			if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
37			- if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
38			+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
39			if ((ms->flags & MAGIC_DEBUG) != 0)
40			(void)fprintf(stderr, "softmagic %d\n", m);
41			#ifdef BUILTIN_ELF
42			diff --git a/src/softmagic.c b/src/softmagic.c
43			index 58a1cf7..107876c 100644
44			--- a/ext/fileinfo/libmagic/softmagic.c
45			+++ b/ext/fileinfo/libmagic/softmagic.c
46			@@ -70,9 +70,9 @@ file_pstring_length_size(const struct magic *m)
47
48
49			private int match(struct magic_set , struct magic , uint32_t,
50			- const unsigned char *, size_t, int);
51			+ const unsigned char *, size_t, int, int);
52			private int mget(struct magic_set , const unsigned char ,
53			- struct magic *, size_t, unsigned int);
54			+ struct magic *, size_t, unsigned int, int);
55			private int magiccheck(struct magic_set , struct magic );
56			private int32_t mprint(struct magic_set , struct magic );
57			private int32_t moffset(struct magic_set , struct magic );
58			@@ -94,12 +94,12 @@ private void cvt_64(union VALUETYPE , const struct magic );
59			*/
60			/ARGSUSED1/ /* nbytes passed for regularity, maybe need later */
61			protected int
62			-file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes, int mode)
63			+file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes, size_t level, int mode)
64			{
65			struct mlist *ml;
66			int rv;
67			for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
68			- if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
69			+ if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
70			return rv;
71
72			return 0;
73			@@ -134,7 +134,7 @@ file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes, in
74			*/
75			private int
76			match(struct magic_set ms, struct magic magic, uint32_t nmagic,
77			- const unsigned char *s, size_t nbytes, int mode)
78			+ const unsigned char *s, size_t nbytes, int mode, int recursion_level)
79			{
80			uint32_t magindex = 0;
81			unsigned int cont_level = 0;
82			@@ -163,7 +163,7 @@ match(struct magic_set ms, struct magic magic, uint32_t nmagic,
83			ms->line = m->lineno;
84
85			/* if main entry matches, print it... */
86			- switch (mget(ms, s, m, nbytes, cont_level)) {
87			+ switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
88			case -1:
89			return -1;
90			case 0:
91			@@ -246,7 +246,7 @@ match(struct magic_set ms, struct magic magic, uint32_t nmagic,
92			continue;
93			}
94			#endif
95			- switch (mget(ms, s, m, nbytes, cont_level)) {
96			+ switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
97			case -1:
98			return -1;
99			case 0:
100			@@ -1062,13 +1062,18 @@ mcopy(struct magic_set ms, union VALUETYPE p, int type, int indir,
101
102			private int
103			mget(struct magic_set ms, const unsigned char s,
104			- struct magic *m, size_t nbytes, unsigned int cont_level)
105			+ struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
106			{
107			uint32_t offset = ms->offset;
108			uint32_t count = m->str_range;
109			uint32_t lhs;
110			union VALUETYPE *p = &ms->ms_value;
111
112			+ if (recursion_level >= 20) {
113			+ file_error(ms, 0, "recursion nesting exceeded");
114			+ return -1;
115			+ }
116			+
117			if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
118			return -1;
119
120			@@ -1486,17 +1491,19 @@ mget(struct magic_set ms, const unsigned char s,
121			break;
122
123			case FILE_REGEX:
124			- if (nbytes < offset)
125			+ if (nbytes < offset)
126			return 0;
127			break;
128
129			case FILE_INDIRECT:
130			+ if (offset == 0)
131			+ return 0;
132			if ((ms->flags & (MAGIC_MIME\|MAGIC_APPLE)) == 0 &&
133			file_printf(ms, m->desc) == -1)
134			return -1;
135			- if (nbytes < offset)
136			+ if (nbytes < offset)
137			return 0;
138			- return file_softmagic(ms, s + offset, nbytes - offset,
139			+ return file_softmagic(ms, s + offset, nbytes - offset, recursion_level,
140			BINTEST);
141
142			case FILE_DEFAULT: /* nothing to check */
143			diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
144			new file mode 100644
145			index 0000000..b2e9c17
146			--- /dev/null
147			+++ b/ext/fileinfo/tests/cve-2014-1943.phpt
148			@@ -0,0 +1,39 @@
149			+--TEST--
150			+Bug #66731: file: infinite recursion
151			+--SKIPIF--
152			+<?php
153			+if (!class_exists('finfo'))
154			+ die('skip no fileinfo extension');
155			+--FILE--
156			+<?php
157			+$fd = __DIR__.'/cve-2014-1943.data';
158			+$fm = __DIR__.'/cve-2014-1943.magic';
159			+
160			+$a = "\105\122\000\000\000\000\000";
161			+$b = str_repeat("\001", 250000);
162			+$m = "0 byte x\n".
163			+ ">(1.b) indirect x\n";
164			+
165			+file_put_contents($fd, $a);
166			+$fi = finfo_open(FILEINFO_NONE);
167			+var_dump(finfo_file($fi, $fd));
168			+finfo_close($fi);
169			+
170			+file_put_contents($fd, $b);
171			+file_put_contents($fm, $m);
172			+$fi = finfo_open(FILEINFO_NONE, $fm);
173			+var_dump(finfo_file($fi, $fd));
174			+finfo_close($fi);
175			+?>
176			+Done
177			+--CLEAN--
178			+<?php
179			+@unlink(__DIR__.'/cve-2014-1943.data');
180			+@unlink(__DIR__.'/cve-2014-1943.magic');
181			+?>
182			+--EXPECTF--
183			+string(%d) "%s"
184			+
185			+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
186			+bool(false)
187			+Done