/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-2270.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-2270.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (9 years, 10 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD 
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238
1 vip-ire 1.1 diff --git a/src/softmagic.c b/src/softmagic.c
2     index 1f02fec..58a1cf7 100644
3     --- a/ext/fileinfo/libmagic/softmagic.c
4     +++ b/ext/fileinfo/libmagic/softmagic.c
5     @@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
6     private void cvt_32(union VALUETYPE *, const struct magic *);
7     private void cvt_64(union VALUETYPE *, const struct magic *);
8    
9     +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
10     /*
11     * softmagic - lookup one file in parsed, in-memory copy of database
12     * Passed the name and FILE * of one file to be typed.
13     @@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s,
14     {
15     uint32_t offset = ms->offset;
16     uint32_t count = m->str_range;
17     + uint32_t lhs;
18     union VALUETYPE *p = &ms->ms_value;
19    
20     if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
21     @@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s,
22     }
23     switch (m->in_type) {
24     case FILE_BYTE:
25     - if (nbytes < (offset + 1))
26     + if (OFFSET_OOB(nbytes, offset, 1))
27     return 0;
28     if (off) {
29     switch (m->in_op & FILE_OPS_MASK) {
30     @@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s,
31     offset = ~offset;
32     break;
33     case FILE_BESHORT:
34     - if (nbytes < (offset + 2))
35     + if (OFFSET_OOB(nbytes, offset, 2))
36     return 0;
37     + lhs = (p->hs[0] << 8) | p->hs[1];
38     if (off) {
39     switch (m->in_op & FILE_OPS_MASK) {
40     case FILE_OPAND:
41     - offset = (short)((p->hs[0]<<8)|
42     - (p->hs[1])) &
43     - off;
44     + offset = lhs & off;
45     break;
46     case FILE_OPOR:
47     - offset = (short)((p->hs[0]<<8)|
48     - (p->hs[1])) |
49     - off;
50     + offset = lhs | off;
51     break;
52     case FILE_OPXOR:
53     - offset = (short)((p->hs[0]<<8)|
54     - (p->hs[1])) ^
55     - off;
56     + offset = lhs ^ off;
57     break;
58     case FILE_OPADD:
59     - offset = (short)((p->hs[0]<<8)|
60     - (p->hs[1])) +
61     - off;
62     + offset = lhs + off;
63     break;
64     case FILE_OPMINUS:
65     - offset = (short)((p->hs[0]<<8)|
66     - (p->hs[1])) -
67     - off;
68     + offset = lhs - off;
69     break;
70     case FILE_OPMULTIPLY:
71     - offset = (short)((p->hs[0]<<8)|
72     - (p->hs[1])) *
73     - off;
74     + offset = lhs * off;
75     break;
76     case FILE_OPDIVIDE:
77     - offset = (short)((p->hs[0]<<8)|
78     - (p->hs[1])) /
79     - off;
80     + offset = lhs / off;
81     break;
82     case FILE_OPMODULO:
83     - offset = (short)((p->hs[0]<<8)|
84     - (p->hs[1])) %
85     - off;
86     + offset = lhs % off;
87     break;
88     }
89     } else
90     - offset = (short)((p->hs[0]<<8)|
91     - (p->hs[1]));
92     + offset = lhs;
93     if (m->in_op & FILE_OPINVERSE)
94     offset = ~offset;
95     break;
96     case FILE_LESHORT:
97     - if (nbytes < (offset + 2))
98     + if (OFFSET_OOB(nbytes, offset, 2))
99     return 0;
100     + lhs = (p->hs[1] << 8) | p->hs[0];
101     if (off) {
102     switch (m->in_op & FILE_OPS_MASK) {
103     case FILE_OPAND:
104     - offset = (short)((p->hs[1]<<8)|
105     - (p->hs[0])) &
106     - off;
107     + offset = lhs & off;
108     break;
109     case FILE_OPOR:
110     - offset = (short)((p->hs[1]<<8)|
111     - (p->hs[0])) |
112     - off;
113     + offset = lhs | off;
114     break;
115     case FILE_OPXOR:
116     - offset = (short)((p->hs[1]<<8)|
117     - (p->hs[0])) ^
118     - off;
119     + offset = lhs ^ off;
120     break;
121     case FILE_OPADD:
122     - offset = (short)((p->hs[1]<<8)|
123     - (p->hs[0])) +
124     - off;
125     + offset = lhs + off;
126     break;
127     case FILE_OPMINUS:
128     - offset = (short)((p->hs[1]<<8)|
129     - (p->hs[0])) -
130     - off;
131     + offset = lhs - off;
132     break;
133     case FILE_OPMULTIPLY:
134     - offset = (short)((p->hs[1]<<8)|
135     - (p->hs[0])) *
136     - off;
137     + offset = lhs * off;
138     break;
139     case FILE_OPDIVIDE:
140     - offset = (short)((p->hs[1]<<8)|
141     - (p->hs[0])) /
142     - off;
143     + offset = lhs / off;
144     break;
145     case FILE_OPMODULO:
146     - offset = (short)((p->hs[1]<<8)|
147     - (p->hs[0])) %
148     - off;
149     + offset = lhs % off;
150     break;
151     }
152     } else
153     - offset = (short)((p->hs[1]<<8)|
154     - (p->hs[0]));
155     + offset = lhs;
156     if (m->in_op & FILE_OPINVERSE)
157     offset = ~offset;
158     break;
159     case FILE_SHORT:
160     - if (nbytes < (offset + 2))
161     + if (OFFSET_OOB(nbytes, offset, 2))
162     return 0;
163     if (off) {
164     switch (m->in_op & FILE_OPS_MASK) {
165     @@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s,
166     break;
167     case FILE_BELONG:
168     case FILE_BEID3:
169     - if (nbytes < (offset + 4))
170     + if (OFFSET_OOB(nbytes, offset, 4))
171     return 0;
172     + lhs = (p->hl[0] << 24) | (p->hl[1] << 16) |
173     + (p->hl[2] << 8) | p->hl[3];
174     if (off) {
175     switch (m->in_op & FILE_OPS_MASK) {
176     case FILE_OPAND:
177     - offset = (int32_t)((p->hl[0]<<24)|
178     - (p->hl[1]<<16)|
179     - (p->hl[2]<<8)|
180     - (p->hl[3])) &
181     - off;
182     + offset = lhs & off;
183     break;
184     case FILE_OPOR:
185     - offset = (int32_t)((p->hl[0]<<24)|
186     - (p->hl[1]<<16)|
187     - (p->hl[2]<<8)|
188     - (p->hl[3])) |
189     - off;
190     + offset = lhs | off;
191     break;
192     case FILE_OPXOR:
193     - offset = (int32_t)((p->hl[0]<<24)|
194     - (p->hl[1]<<16)|
195     - (p->hl[2]<<8)|
196     - (p->hl[3])) ^
197     - off;
198     + offset = lhs ^ off;
199     break;
200     case FILE_OPADD:
201     - offset = (int32_t)((p->hl[0]<<24)|
202     - (p->hl[1]<<16)|
203     - (p->hl[2]<<8)|
204     - (p->hl[3])) +
205     - off;
206     + offset = lhs + off;
207     break;
208     case FILE_OPMINUS:
209     - offset = (int32_t)((p->hl[0]<<24)|
210     - (p->hl[1]<<16)|
211     - (p->hl[2]<<8)|
212     - (p->hl[3])) -
213     - off;
214     + offset = lhs - off;
215     break;
216     case FILE_OPMULTIPLY:
217     - offset = (int32_t)((p->hl[0]<<24)|
218     - (p->hl[1]<<16)|
219     - (p->hl[2]<<8)|
220     - (p->hl[3])) *
221     - off;
222     + offset = lhs * off;
223     break;
224     case FILE_OPDIVIDE:
225     - offset = (int32_t)((p->hl[0]<<24)|
226     - (p->hl[1]<<16)|
227     - (p->hl[2]<<8)|
228     - (p->hl[3])) /
229     - off;
230     + offset = lhs / off;
231     break;
232     case FILE_OPMODULO:
233     - offset = (int32_t)((p->hl[0]<<24)|
234     - (p->hl[1]<<16)|
235     - (p->hl[2]<<8)|
236     - (p->hl[3])) %
237     - off;
238     + offset = lhs % off;
239     break;
240     }
241     } else
242     - offset = (int32_t)((p->hl[0]<<24)|
243     - (p->hl[1]<<16)|
244     - (p->hl[2]<<8)|
245     - (p->hl[3]));
246     + offset = lhs;
247     if (m->in_op & FILE_OPINVERSE)
248     offset = ~offset;
249     break;
250     case FILE_LELONG:
251     case FILE_LEID3:
252     - if (nbytes < (offset + 4))
253     + if (OFFSET_OOB(nbytes, offset, 4))
254     return 0;
255     + lhs = (p->hl[3] << 24) | (p->hl[2] << 16) |
256     + (p->hl[1] << 8) | p->hl[0];
257     if (off) {
258     switch (m->in_op & FILE_OPS_MASK) {
259     case FILE_OPAND:
260     - offset = (int32_t)((p->hl[3]<<24)|
261     - (p->hl[2]<<16)|
262     - (p->hl[1]<<8)|
263     - (p->hl[0])) &
264     - off;
265     + offset = lhs & off;
266     break;
267     case FILE_OPOR:
268     - offset = (int32_t)((p->hl[3]<<24)|
269     - (p->hl[2]<<16)|
270     - (p->hl[1]<<8)|
271     - (p->hl[0])) |
272     - off;
273     + offset = lhs | off;
274     break;
275     case FILE_OPXOR:
276     - offset = (int32_t)((p->hl[3]<<24)|
277     - (p->hl[2]<<16)|
278     - (p->hl[1]<<8)|
279     - (p->hl[0])) ^
280     - off;
281     + offset = lhs ^ off;
282     break;
283     case FILE_OPADD:
284     - offset = (int32_t)((p->hl[3]<<24)|
285     - (p->hl[2]<<16)|
286     - (p->hl[1]<<8)|
287     - (p->hl[0])) +
288     - off;
289     + offset = lhs + off;
290     break;
291     case FILE_OPMINUS:
292     - offset = (int32_t)((p->hl[3]<<24)|
293     - (p->hl[2]<<16)|
294     - (p->hl[1]<<8)|
295     - (p->hl[0])) -
296     - off;
297     + offset = lhs - off;
298     break;
299     case FILE_OPMULTIPLY:
300     - offset = (int32_t)((p->hl[3]<<24)|
301     - (p->hl[2]<<16)|
302     - (p->hl[1]<<8)|
303     - (p->hl[0])) *
304     - off;
305     + offset = lhs * off;
306     break;
307     case FILE_OPDIVIDE:
308     - offset = (int32_t)((p->hl[3]<<24)|
309     - (p->hl[2]<<16)|
310     - (p->hl[1]<<8)|
311     - (p->hl[0])) /
312     - off;
313     + offset = lhs / off;
314     break;
315     case FILE_OPMODULO:
316     - offset = (int32_t)((p->hl[3]<<24)|
317     - (p->hl[2]<<16)|
318     - (p->hl[1]<<8)|
319     - (p->hl[0])) %
320     - off;
321     + offset = lhs % off;
322     break;
323     }
324     } else
325     - offset = (int32_t)((p->hl[3]<<24)|
326     - (p->hl[2]<<16)|
327     - (p->hl[1]<<8)|
328     - (p->hl[0]));
329     + offset = lhs;
330     if (m->in_op & FILE_OPINVERSE)
331     offset = ~offset;
332     break;
333     case FILE_MELONG:
334     - if (nbytes < (offset + 4))
335     + if (OFFSET_OOB(nbytes, offset, 4))
336     return 0;
337     + lhs = (p->hl[1] << 24) | (p->hl[0] << 16) |
338     + (p->hl[3] << 8) | p->hl[2];
339     if (off) {
340     switch (m->in_op & FILE_OPS_MASK) {
341     case FILE_OPAND:
342     - offset = (int32_t)((p->hl[1]<<24)|
343     - (p->hl[0]<<16)|
344     - (p->hl[3]<<8)|
345     - (p->hl[2])) &
346     - off;
347     + offset = lhs & off;
348     break;
349     case FILE_OPOR:
350     - offset = (int32_t)((p->hl[1]<<24)|
351     - (p->hl[0]<<16)|
352     - (p->hl[3]<<8)|
353     - (p->hl[2])) |
354     - off;
355     + offset = lhs | off;
356     break;
357     case FILE_OPXOR:
358     - offset = (int32_t)((p->hl[1]<<24)|
359     - (p->hl[0]<<16)|
360     - (p->hl[3]<<8)|
361     - (p->hl[2])) ^
362     - off;
363     + offset = lhs ^ off;
364     break;
365     case FILE_OPADD:
366     - offset = (int32_t)((p->hl[1]<<24)|
367     - (p->hl[0]<<16)|
368     - (p->hl[3]<<8)|
369     - (p->hl[2])) +
370     - off;
371     + offset = lhs + off;
372     break;
373     case FILE_OPMINUS:
374     - offset = (int32_t)((p->hl[1]<<24)|
375     - (p->hl[0]<<16)|
376     - (p->hl[3]<<8)|
377     - (p->hl[2])) -
378     - off;
379     + offset = lhs - off;
380     break;
381     case FILE_OPMULTIPLY:
382     - offset = (int32_t)((p->hl[1]<<24)|
383     - (p->hl[0]<<16)|
384     - (p->hl[3]<<8)|
385     - (p->hl[2])) *
386     - off;
387     + offset = lhs * off;
388     break;
389     case FILE_OPDIVIDE:
390     - offset = (int32_t)((p->hl[1]<<24)|
391     - (p->hl[0]<<16)|
392     - (p->hl[3]<<8)|
393     - (p->hl[2])) /
394     - off;
395     + offset = lhs / off;
396     break;
397     case FILE_OPMODULO:
398     - offset = (int32_t)((p->hl[1]<<24)|
399     - (p->hl[0]<<16)|
400     - (p->hl[3]<<8)|
401     - (p->hl[2])) %
402     - off;
403     + offset = lhs % off;
404     break;
405     }
406     } else
407     - offset = (int32_t)((p->hl[1]<<24)|
408     - (p->hl[0]<<16)|
409     - (p->hl[3]<<8)|
410     - (p->hl[2]));
411     + offset = lhs;
412     if (m->in_op & FILE_OPINVERSE)
413     offset = ~offset;
414     break;
415     case FILE_LONG:
416     - if (nbytes < (offset + 4))
417     + if (OFFSET_OOB(nbytes, offset, 4))
418     return 0;
419     if (off) {
420     switch (m->in_op & FILE_OPS_MASK) {
421     @@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s,
422     /* Verify we have enough data to match magic type */
423     switch (m->type) {
424     case FILE_BYTE:
425     - if (nbytes < (offset + 1)) /* should alway be true */
426     + if (OFFSET_OOB(nbytes, offset, 1))
427     return 0;
428     break;
429    
430     case FILE_SHORT:
431     case FILE_BESHORT:
432     case FILE_LESHORT:
433     - if (nbytes < (offset + 2))
434     + if (OFFSET_OOB(nbytes, offset, 2))
435     return 0;
436     break;
437    
438     @@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s,
439     case FILE_FLOAT:
440     case FILE_BEFLOAT:
441     case FILE_LEFLOAT:
442     - if (nbytes < (offset + 4))
443     + if (OFFSET_OOB(nbytes, offset, 4))
444     return 0;
445     break;
446    
447     case FILE_DOUBLE:
448     case FILE_BEDOUBLE:
449     case FILE_LEDOUBLE:
450     - if (nbytes < (offset + 8))
451     + if (OFFSET_OOB(nbytes, offset, 8))
452     return 0;
453     break;
454    
455     case FILE_STRING:
456     case FILE_PSTRING:
457     case FILE_SEARCH:
458     - if (nbytes < (offset + m->vallen))
459     + if (OFFSET_OOB(nbytes, offset, m->vallen))
460     return 0;
461     break;
462    
463     case FILE_REGEX:
464     - if (nbytes < offset)
465     + if (nbytes < offset)
466     return 0;
467     break;
468    
469     @@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s,
470     if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
471     file_printf(ms, m->desc) == -1)
472     return -1;
473     - if (nbytes < offset)
474     + if (nbytes < offset)
475     return 0;
476     return file_softmagic(ms, s + offset, nbytes - offset,
477     BINTEST);
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed