php/sme8/php-5.3.3-CVE-2014-1943.patch

diff --git a/src/ascmagic.c b/src/ascmagic.c
index 9236fb4..5a531ae 100644
--- a/ext/fileinfo/libmagic/ascmagic.c
+++ b/ext/fileinfo/libmagic/ascmagic.c
@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
        if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
                goto done;
        if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
-           TEXTTEST)) != 0)
+           0, TEXTTEST)) != 0)
                goto done;
        else
                rv = -1;
diff --git a/src/file.h b/src/file.h
index c07f2d4..2a6cf02 100644
--- a/ext/fileinfo/libmagic/file.h
+++ b/ext/fileinfo/libmagic/file.h
@@ -373,8 +373,8 @@ protected int file_ascmagic_with_encoding(struct magic_set *,
 protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
-protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    int);
+protected int file_softmagic(struct magic_set *, const unsigned char *,  size_t,
+    size_t, int);
 protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 protected uint64_t file_signextend(struct magic_set *, struct magic *,
     uint64_t);
diff --git a/src/funcs.c b/src/funcs.c
index 2397417..11d257f 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -227,7 +227,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname, const void *buf,
 
        /* try soft magic tests */
        if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-               if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
+               if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
                        if ((ms->flags & MAGIC_DEBUG) != 0)
                                (void)fprintf(stderr, "softmagic %d\n", m);
 #ifdef BUILTIN_ELF
diff --git a/src/softmagic.c b/src/softmagic.c
index 58a1cf7..107876c 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -70,9 +70,9 @@ file_pstring_length_size(const struct magic *m)
 
 
 private int match(struct magic_set *, struct magic *, uint32_t,
-    const unsigned char *, size_t, int);
+    const unsigned char *, size_t, int, int);
 private int mget(struct magic_set *, const unsigned char *,
-    struct magic *, size_t, unsigned int);
+    struct magic *, size_t, unsigned int, int);
 private int magiccheck(struct magic_set *, struct magic *);
 private int32_t mprint(struct magic_set *, struct magic *);
 private int32_t moffset(struct magic_set *, struct magic *);
@@ -94,12 +94,12 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
  */
 /*ARGSUSED1*/          /* nbytes passed for regularity, maybe need later */
 protected int
-file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode)
+file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, size_t level, int mode)
 {
        struct mlist *ml;
        int rv;
        for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
-               if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
+               if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
                        return rv;
 
        return 0;
@@ -134,7 +134,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, in
  */
 private int
 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
-    const unsigned char *s, size_t nbytes, int mode)
+    const unsigned char *s, size_t nbytes, int mode, int recursion_level)
 {
        uint32_t magindex = 0;
        unsigned int cont_level = 0;
@@ -163,7 +163,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
                ms->line = m->lineno;
 
                /* if main entry matches, print it... */
-               switch (mget(ms, s, m, nbytes, cont_level)) {
+               switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
                case -1:
                        return -1;
                case 0:
@@ -246,7 +246,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
                                        continue;
                        }
 #endif
-                       switch (mget(ms, s, m, nbytes, cont_level)) {
+                       switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
                        case -1:
                                return -1;
                        case 0:
@@ -1062,13 +1062,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 
 private int
 mget(struct magic_set *ms, const unsigned char *s,
-    struct magic *m, size_t nbytes, unsigned int cont_level)
+    struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
 {
        uint32_t offset = ms->offset;
        uint32_t count = m->str_range;
        uint32_t lhs;
        union VALUETYPE *p = &ms->ms_value;
 
+       if (recursion_level >= 20) {
+               file_error(ms, 0, "recursion nesting exceeded");
+               return -1;
+       }
+
        if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
                return -1;
 
@@ -1486,17 +1491,19 @@ mget(struct magic_set *ms, const unsigned char *s,
                break;
 
        case FILE_REGEX:
-               if (nbytes < offset)
+               if (nbytes < offset)
                        return 0;
                break;
 
        case FILE_INDIRECT:
+               if (offset == 0)
+                       return 0;
                if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
                    file_printf(ms, m->desc) == -1)
                        return -1;
-               if (nbytes < offset)
+               if (nbytes < offset)
                        return 0;
-               return file_softmagic(ms, s + offset, nbytes - offset,
+               return file_softmagic(ms, s + offset, nbytes - offset, recursion_level,
                    BINTEST);
 
        case FILE_DEFAULT:      /* nothing to check */
diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
new file mode 100644
index 0000000..b2e9c17
--- /dev/null
+++ b/ext/fileinfo/tests/cve-2014-1943.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #66731: file: infinite recursion
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+       die('skip no fileinfo extension');
+--FILE--
+<?php
+$fd = __DIR__.'/cve-2014-1943.data';
+$fm = __DIR__.'/cve-2014-1943.magic';
+
+$a = "\105\122\000\000\000\000\000";
+$b = str_repeat("\001", 250000);
+$m =  "0           byte        x\n".
+      ">(1.b)      indirect    x\n";
+
+file_put_contents($fd, $a);
+$fi = finfo_open(FILEINFO_NONE);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+
+file_put_contents($fd, $b);
+file_put_contents($fm, $m);
+$fi = finfo_open(FILEINFO_NONE, $fm);
+var_dump(finfo_file($fi, $fd));
+finfo_close($fi);
+?>
+Done
+--CLEAN--
+<?php
+@unlink(__DIR__.'/cve-2014-1943.data');
+@unlink(__DIR__.'/cve-2014-1943.magic');
+?>
+--EXPECTF--
+string(%d) "%s"
+
+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
+bool(false)
+Done
1	diff --git a/src/ascmagic.c b/src/ascmagic.c
2	index 9236fb4..5a531ae 100644
3	--- a/ext/fileinfo/libmagic/ascmagic.c
4	+++ b/ext/fileinfo/libmagic/ascmagic.c
5	@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set ms, const unsigned char buf,
6	if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
7	goto done;
8	if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
9	- TEXTTEST)) != 0)
10	+ 0, TEXTTEST)) != 0)
11	goto done;
12	else
13	rv = -1;
14	diff --git a/src/file.h b/src/file.h
15	index c07f2d4..2a6cf02 100644
16	--- a/ext/fileinfo/libmagic/file.h
17	+++ b/ext/fileinfo/libmagic/file.h
18	@@ -373,8 +373,8 @@ protected int file_ascmagic_with_encoding(struct magic_set *,
19	protected int file_encoding(struct magic_set , const unsigned char , size_t,
20	unichar *, size_t , const char , const char , const char **);
21	protected int file_is_tar(struct magic_set , const unsigned char , size_t);
22	-protected int file_softmagic(struct magic_set , const unsigned char , size_t,
23	- int);
24	+protected int file_softmagic(struct magic_set , const unsigned char , size_t,
25	+ size_t, int);
26	protected struct mlist file_apprentice(struct magic_set , const char *, int);
27	protected uint64_t file_signextend(struct magic_set , struct magic ,
28	uint64_t);
29	diff --git a/src/funcs.c b/src/funcs.c
30	index 2397417..11d257f 100644
31	--- a/ext/fileinfo/libmagic/funcs.c
32	+++ b/ext/fileinfo/libmagic/funcs.c
33	@@ -227,7 +227,7 @@ file_buffer(struct magic_set ms, int fd, const char inname, const void *buf,
34
35	/* try soft magic tests */
36	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
37	- if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
38	+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
39	if ((ms->flags & MAGIC_DEBUG) != 0)
40	(void)fprintf(stderr, "softmagic %d\n", m);
41	#ifdef BUILTIN_ELF
42	diff --git a/src/softmagic.c b/src/softmagic.c
43	index 58a1cf7..107876c 100644
44	--- a/ext/fileinfo/libmagic/softmagic.c
45	+++ b/ext/fileinfo/libmagic/softmagic.c
46	@@ -70,9 +70,9 @@ file_pstring_length_size(const struct magic *m)
47
48
49	private int match(struct magic_set , struct magic , uint32_t,
50	- const unsigned char *, size_t, int);
51	+ const unsigned char *, size_t, int, int);
52	private int mget(struct magic_set , const unsigned char ,
53	- struct magic *, size_t, unsigned int);
54	+ struct magic *, size_t, unsigned int, int);
55	private int magiccheck(struct magic_set , struct magic );
56	private int32_t mprint(struct magic_set , struct magic );
57	private int32_t moffset(struct magic_set , struct magic );
58	@@ -94,12 +94,12 @@ private void cvt_64(union VALUETYPE , const struct magic );
59	*/
60	/ARGSUSED1/ /* nbytes passed for regularity, maybe need later */
61	protected int
62	-file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes, int mode)
63	+file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes, size_t level, int mode)
64	{
65	struct mlist *ml;
66	int rv;
67	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
68	- if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
69	+ if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
70	return rv;
71
72	return 0;
73	@@ -134,7 +134,7 @@ file_softmagic(struct magic_set ms, const unsigned char buf, size_t nbytes, in
74	*/
75	private int
76	match(struct magic_set ms, struct magic magic, uint32_t nmagic,
77	- const unsigned char *s, size_t nbytes, int mode)
78	+ const unsigned char *s, size_t nbytes, int mode, int recursion_level)
79	{
80	uint32_t magindex = 0;
81	unsigned int cont_level = 0;
82	@@ -163,7 +163,7 @@ match(struct magic_set ms, struct magic magic, uint32_t nmagic,
83	ms->line = m->lineno;
84
85	/* if main entry matches, print it... */
86	- switch (mget(ms, s, m, nbytes, cont_level)) {
87	+ switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
88	case -1:
89	return -1;
90	case 0:
91	@@ -246,7 +246,7 @@ match(struct magic_set ms, struct magic magic, uint32_t nmagic,
92	continue;
93	}
94	#endif
95	- switch (mget(ms, s, m, nbytes, cont_level)) {
96	+ switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
97	case -1:
98	return -1;
99	case 0:
100	@@ -1062,13 +1062,18 @@ mcopy(struct magic_set ms, union VALUETYPE p, int type, int indir,
101
102	private int
103	mget(struct magic_set ms, const unsigned char s,
104	- struct magic *m, size_t nbytes, unsigned int cont_level)
105	+ struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
106	{
107	uint32_t offset = ms->offset;
108	uint32_t count = m->str_range;
109	uint32_t lhs;
110	union VALUETYPE *p = &ms->ms_value;
111
112	+ if (recursion_level >= 20) {
113	+ file_error(ms, 0, "recursion nesting exceeded");
114	+ return -1;
115	+ }
116	+
117	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
118	return -1;
119
120	@@ -1486,17 +1491,19 @@ mget(struct magic_set ms, const unsigned char s,
121	break;
122
123	case FILE_REGEX:
124	- if (nbytes < offset)
125	+ if (nbytes < offset)
126	return 0;
127	break;
128
129	case FILE_INDIRECT:
130	+ if (offset == 0)
131	+ return 0;
132	if ((ms->flags & (MAGIC_MIME\|MAGIC_APPLE)) == 0 &&
133	file_printf(ms, m->desc) == -1)
134	return -1;
135	- if (nbytes < offset)
136	+ if (nbytes < offset)
137	return 0;
138	- return file_softmagic(ms, s + offset, nbytes - offset,
139	+ return file_softmagic(ms, s + offset, nbytes - offset, recursion_level,
140	BINTEST);
141
142	case FILE_DEFAULT: /* nothing to check */
143	diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
144	new file mode 100644
145	index 0000000..b2e9c17
146	--- /dev/null
147	+++ b/ext/fileinfo/tests/cve-2014-1943.phpt
148	@@ -0,0 +1,39 @@
149	+--TEST--
150	+Bug #66731: file: infinite recursion
151	+--SKIPIF--
152	+<?php
153	+if (!class_exists('finfo'))
154	+ die('skip no fileinfo extension');
155	+--FILE--
156	+<?php
157	+$fd = __DIR__.'/cve-2014-1943.data';
158	+$fm = __DIR__.'/cve-2014-1943.magic';
159	+
160	+$a = "\105\122\000\000\000\000\000";
161	+$b = str_repeat("\001", 250000);
162	+$m = "0 byte x\n".
163	+ ">(1.b) indirect x\n";
164	+
165	+file_put_contents($fd, $a);
166	+$fi = finfo_open(FILEINFO_NONE);
167	+var_dump(finfo_file($fi, $fd));
168	+finfo_close($fi);
169	+
170	+file_put_contents($fd, $b);
171	+file_put_contents($fm, $m);
172	+$fi = finfo_open(FILEINFO_NONE, $fm);
173	+var_dump(finfo_file($fi, $fd));
174	+finfo_close($fi);
175	+?>
176	+Done
177	+--CLEAN--
178	+<?php
179	+@unlink(__DIR__.'/cve-2014-1943.data');
180	+@unlink(__DIR__.'/cve-2014-1943.magic');
181	+?>
182	+--EXPECTF--
183	+string(%d) "%s"
184	+
185	+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
186	+bool(false)
187	+Done