/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-2270.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2014-2270.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (show annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 3 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD 
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238
1 diff --git a/src/softmagic.c b/src/softmagic.c
2 index 1f02fec..58a1cf7 100644
3 --- a/ext/fileinfo/libmagic/softmagic.c
4 +++ b/ext/fileinfo/libmagic/softmagic.c
5 @@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
6 private void cvt_32(union VALUETYPE *, const struct magic *);
7 private void cvt_64(union VALUETYPE *, const struct magic *);
8
9 +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
10 /*
11 * softmagic - lookup one file in parsed, in-memory copy of database
12 * Passed the name and FILE * of one file to be typed.
13 @@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s,
14 {
15 uint32_t offset = ms->offset;
16 uint32_t count = m->str_range;
17 + uint32_t lhs;
18 union VALUETYPE *p = &ms->ms_value;
19
20 if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
21 @@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s,
22 }
23 switch (m->in_type) {
24 case FILE_BYTE:
25 - if (nbytes < (offset + 1))
26 + if (OFFSET_OOB(nbytes, offset, 1))
27 return 0;
28 if (off) {
29 switch (m->in_op & FILE_OPS_MASK) {
30 @@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s,
31 offset = ~offset;
32 break;
33 case FILE_BESHORT:
34 - if (nbytes < (offset + 2))
35 + if (OFFSET_OOB(nbytes, offset, 2))
36 return 0;
37 + lhs = (p->hs[0] << 8) | p->hs[1];
38 if (off) {
39 switch (m->in_op & FILE_OPS_MASK) {
40 case FILE_OPAND:
41 - offset = (short)((p->hs[0]<<8)|
42 - (p->hs[1])) &
43 - off;
44 + offset = lhs & off;
45 break;
46 case FILE_OPOR:
47 - offset = (short)((p->hs[0]<<8)|
48 - (p->hs[1])) |
49 - off;
50 + offset = lhs | off;
51 break;
52 case FILE_OPXOR:
53 - offset = (short)((p->hs[0]<<8)|
54 - (p->hs[1])) ^
55 - off;
56 + offset = lhs ^ off;
57 break;
58 case FILE_OPADD:
59 - offset = (short)((p->hs[0]<<8)|
60 - (p->hs[1])) +
61 - off;
62 + offset = lhs + off;
63 break;
64 case FILE_OPMINUS:
65 - offset = (short)((p->hs[0]<<8)|
66 - (p->hs[1])) -
67 - off;
68 + offset = lhs - off;
69 break;
70 case FILE_OPMULTIPLY:
71 - offset = (short)((p->hs[0]<<8)|
72 - (p->hs[1])) *
73 - off;
74 + offset = lhs * off;
75 break;
76 case FILE_OPDIVIDE:
77 - offset = (short)((p->hs[0]<<8)|
78 - (p->hs[1])) /
79 - off;
80 + offset = lhs / off;
81 break;
82 case FILE_OPMODULO:
83 - offset = (short)((p->hs[0]<<8)|
84 - (p->hs[1])) %
85 - off;
86 + offset = lhs % off;
87 break;
88 }
89 } else
90 - offset = (short)((p->hs[0]<<8)|
91 - (p->hs[1]));
92 + offset = lhs;
93 if (m->in_op & FILE_OPINVERSE)
94 offset = ~offset;
95 break;
96 case FILE_LESHORT:
97 - if (nbytes < (offset + 2))
98 + if (OFFSET_OOB(nbytes, offset, 2))
99 return 0;
100 + lhs = (p->hs[1] << 8) | p->hs[0];
101 if (off) {
102 switch (m->in_op & FILE_OPS_MASK) {
103 case FILE_OPAND:
104 - offset = (short)((p->hs[1]<<8)|
105 - (p->hs[0])) &
106 - off;
107 + offset = lhs & off;
108 break;
109 case FILE_OPOR:
110 - offset = (short)((p->hs[1]<<8)|
111 - (p->hs[0])) |
112 - off;
113 + offset = lhs | off;
114 break;
115 case FILE_OPXOR:
116 - offset = (short)((p->hs[1]<<8)|
117 - (p->hs[0])) ^
118 - off;
119 + offset = lhs ^ off;
120 break;
121 case FILE_OPADD:
122 - offset = (short)((p->hs[1]<<8)|
123 - (p->hs[0])) +
124 - off;
125 + offset = lhs + off;
126 break;
127 case FILE_OPMINUS:
128 - offset = (short)((p->hs[1]<<8)|
129 - (p->hs[0])) -
130 - off;
131 + offset = lhs - off;
132 break;
133 case FILE_OPMULTIPLY:
134 - offset = (short)((p->hs[1]<<8)|
135 - (p->hs[0])) *
136 - off;
137 + offset = lhs * off;
138 break;
139 case FILE_OPDIVIDE:
140 - offset = (short)((p->hs[1]<<8)|
141 - (p->hs[0])) /
142 - off;
143 + offset = lhs / off;
144 break;
145 case FILE_OPMODULO:
146 - offset = (short)((p->hs[1]<<8)|
147 - (p->hs[0])) %
148 - off;
149 + offset = lhs % off;
150 break;
151 }
152 } else
153 - offset = (short)((p->hs[1]<<8)|
154 - (p->hs[0]));
155 + offset = lhs;
156 if (m->in_op & FILE_OPINVERSE)
157 offset = ~offset;
158 break;
159 case FILE_SHORT:
160 - if (nbytes < (offset + 2))
161 + if (OFFSET_OOB(nbytes, offset, 2))
162 return 0;
163 if (off) {
164 switch (m->in_op & FILE_OPS_MASK) {
165 @@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s,
166 break;
167 case FILE_BELONG:
168 case FILE_BEID3:
169 - if (nbytes < (offset + 4))
170 + if (OFFSET_OOB(nbytes, offset, 4))
171 return 0;
172 + lhs = (p->hl[0] << 24) | (p->hl[1] << 16) |
173 + (p->hl[2] << 8) | p->hl[3];
174 if (off) {
175 switch (m->in_op & FILE_OPS_MASK) {
176 case FILE_OPAND:
177 - offset = (int32_t)((p->hl[0]<<24)|
178 - (p->hl[1]<<16)|
179 - (p->hl[2]<<8)|
180 - (p->hl[3])) &
181 - off;
182 + offset = lhs & off;
183 break;
184 case FILE_OPOR:
185 - offset = (int32_t)((p->hl[0]<<24)|
186 - (p->hl[1]<<16)|
187 - (p->hl[2]<<8)|
188 - (p->hl[3])) |
189 - off;
190 + offset = lhs | off;
191 break;
192 case FILE_OPXOR:
193 - offset = (int32_t)((p->hl[0]<<24)|
194 - (p->hl[1]<<16)|
195 - (p->hl[2]<<8)|
196 - (p->hl[3])) ^
197 - off;
198 + offset = lhs ^ off;
199 break;
200 case FILE_OPADD:
201 - offset = (int32_t)((p->hl[0]<<24)|
202 - (p->hl[1]<<16)|
203 - (p->hl[2]<<8)|
204 - (p->hl[3])) +
205 - off;
206 + offset = lhs + off;
207 break;
208 case FILE_OPMINUS:
209 - offset = (int32_t)((p->hl[0]<<24)|
210 - (p->hl[1]<<16)|
211 - (p->hl[2]<<8)|
212 - (p->hl[3])) -
213 - off;
214 + offset = lhs - off;
215 break;
216 case FILE_OPMULTIPLY:
217 - offset = (int32_t)((p->hl[0]<<24)|
218 - (p->hl[1]<<16)|
219 - (p->hl[2]<<8)|
220 - (p->hl[3])) *
221 - off;
222 + offset = lhs * off;
223 break;
224 case FILE_OPDIVIDE:
225 - offset = (int32_t)((p->hl[0]<<24)|
226 - (p->hl[1]<<16)|
227 - (p->hl[2]<<8)|
228 - (p->hl[3])) /
229 - off;
230 + offset = lhs / off;
231 break;
232 case FILE_OPMODULO:
233 - offset = (int32_t)((p->hl[0]<<24)|
234 - (p->hl[1]<<16)|
235 - (p->hl[2]<<8)|
236 - (p->hl[3])) %
237 - off;
238 + offset = lhs % off;
239 break;
240 }
241 } else
242 - offset = (int32_t)((p->hl[0]<<24)|
243 - (p->hl[1]<<16)|
244 - (p->hl[2]<<8)|
245 - (p->hl[3]));
246 + offset = lhs;
247 if (m->in_op & FILE_OPINVERSE)
248 offset = ~offset;
249 break;
250 case FILE_LELONG:
251 case FILE_LEID3:
252 - if (nbytes < (offset + 4))
253 + if (OFFSET_OOB(nbytes, offset, 4))
254 return 0;
255 + lhs = (p->hl[3] << 24) | (p->hl[2] << 16) |
256 + (p->hl[1] << 8) | p->hl[0];
257 if (off) {
258 switch (m->in_op & FILE_OPS_MASK) {
259 case FILE_OPAND:
260 - offset = (int32_t)((p->hl[3]<<24)|
261 - (p->hl[2]<<16)|
262 - (p->hl[1]<<8)|
263 - (p->hl[0])) &
264 - off;
265 + offset = lhs & off;
266 break;
267 case FILE_OPOR:
268 - offset = (int32_t)((p->hl[3]<<24)|
269 - (p->hl[2]<<16)|
270 - (p->hl[1]<<8)|
271 - (p->hl[0])) |
272 - off;
273 + offset = lhs | off;
274 break;
275 case FILE_OPXOR:
276 - offset = (int32_t)((p->hl[3]<<24)|
277 - (p->hl[2]<<16)|
278 - (p->hl[1]<<8)|
279 - (p->hl[0])) ^
280 - off;
281 + offset = lhs ^ off;
282 break;
283 case FILE_OPADD:
284 - offset = (int32_t)((p->hl[3]<<24)|
285 - (p->hl[2]<<16)|
286 - (p->hl[1]<<8)|
287 - (p->hl[0])) +
288 - off;
289 + offset = lhs + off;
290 break;
291 case FILE_OPMINUS:
292 - offset = (int32_t)((p->hl[3]<<24)|
293 - (p->hl[2]<<16)|
294 - (p->hl[1]<<8)|
295 - (p->hl[0])) -
296 - off;
297 + offset = lhs - off;
298 break;
299 case FILE_OPMULTIPLY:
300 - offset = (int32_t)((p->hl[3]<<24)|
301 - (p->hl[2]<<16)|
302 - (p->hl[1]<<8)|
303 - (p->hl[0])) *
304 - off;
305 + offset = lhs * off;
306 break;
307 case FILE_OPDIVIDE:
308 - offset = (int32_t)((p->hl[3]<<24)|
309 - (p->hl[2]<<16)|
310 - (p->hl[1]<<8)|
311 - (p->hl[0])) /
312 - off;
313 + offset = lhs / off;
314 break;
315 case FILE_OPMODULO:
316 - offset = (int32_t)((p->hl[3]<<24)|
317 - (p->hl[2]<<16)|
318 - (p->hl[1]<<8)|
319 - (p->hl[0])) %
320 - off;
321 + offset = lhs % off;
322 break;
323 }
324 } else
325 - offset = (int32_t)((p->hl[3]<<24)|
326 - (p->hl[2]<<16)|
327 - (p->hl[1]<<8)|
328 - (p->hl[0]));
329 + offset = lhs;
330 if (m->in_op & FILE_OPINVERSE)
331 offset = ~offset;
332 break;
333 case FILE_MELONG:
334 - if (nbytes < (offset + 4))
335 + if (OFFSET_OOB(nbytes, offset, 4))
336 return 0;
337 + lhs = (p->hl[1] << 24) | (p->hl[0] << 16) |
338 + (p->hl[3] << 8) | p->hl[2];
339 if (off) {
340 switch (m->in_op & FILE_OPS_MASK) {
341 case FILE_OPAND:
342 - offset = (int32_t)((p->hl[1]<<24)|
343 - (p->hl[0]<<16)|
344 - (p->hl[3]<<8)|
345 - (p->hl[2])) &
346 - off;
347 + offset = lhs & off;
348 break;
349 case FILE_OPOR:
350 - offset = (int32_t)((p->hl[1]<<24)|
351 - (p->hl[0]<<16)|
352 - (p->hl[3]<<8)|
353 - (p->hl[2])) |
354 - off;
355 + offset = lhs | off;
356 break;
357 case FILE_OPXOR:
358 - offset = (int32_t)((p->hl[1]<<24)|
359 - (p->hl[0]<<16)|
360 - (p->hl[3]<<8)|
361 - (p->hl[2])) ^
362 - off;
363 + offset = lhs ^ off;
364 break;
365 case FILE_OPADD:
366 - offset = (int32_t)((p->hl[1]<<24)|
367 - (p->hl[0]<<16)|
368 - (p->hl[3]<<8)|
369 - (p->hl[2])) +
370 - off;
371 + offset = lhs + off;
372 break;
373 case FILE_OPMINUS:
374 - offset = (int32_t)((p->hl[1]<<24)|
375 - (p->hl[0]<<16)|
376 - (p->hl[3]<<8)|
377 - (p->hl[2])) -
378 - off;
379 + offset = lhs - off;
380 break;
381 case FILE_OPMULTIPLY:
382 - offset = (int32_t)((p->hl[1]<<24)|
383 - (p->hl[0]<<16)|
384 - (p->hl[3]<<8)|
385 - (p->hl[2])) *
386 - off;
387 + offset = lhs * off;
388 break;
389 case FILE_OPDIVIDE:
390 - offset = (int32_t)((p->hl[1]<<24)|
391 - (p->hl[0]<<16)|
392 - (p->hl[3]<<8)|
393 - (p->hl[2])) /
394 - off;
395 + offset = lhs / off;
396 break;
397 case FILE_OPMODULO:
398 - offset = (int32_t)((p->hl[1]<<24)|
399 - (p->hl[0]<<16)|
400 - (p->hl[3]<<8)|
401 - (p->hl[2])) %
402 - off;
403 + offset = lhs % off;
404 break;
405 }
406 } else
407 - offset = (int32_t)((p->hl[1]<<24)|
408 - (p->hl[0]<<16)|
409 - (p->hl[3]<<8)|
410 - (p->hl[2]));
411 + offset = lhs;
412 if (m->in_op & FILE_OPINVERSE)
413 offset = ~offset;
414 break;
415 case FILE_LONG:
416 - if (nbytes < (offset + 4))
417 + if (OFFSET_OOB(nbytes, offset, 4))
418 return 0;
419 if (off) {
420 switch (m->in_op & FILE_OPS_MASK) {
421 @@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s,
422 /* Verify we have enough data to match magic type */
423 switch (m->type) {
424 case FILE_BYTE:
425 - if (nbytes < (offset + 1)) /* should alway be true */
426 + if (OFFSET_OOB(nbytes, offset, 1))
427 return 0;
428 break;
429
430 case FILE_SHORT:
431 case FILE_BESHORT:
432 case FILE_LESHORT:
433 - if (nbytes < (offset + 2))
434 + if (OFFSET_OOB(nbytes, offset, 2))
435 return 0;
436 break;
437
438 @@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s,
439 case FILE_FLOAT:
440 case FILE_BEFLOAT:
441 case FILE_LEFLOAT:
442 - if (nbytes < (offset + 4))
443 + if (OFFSET_OOB(nbytes, offset, 4))
444 return 0;
445 break;
446
447 case FILE_DOUBLE:
448 case FILE_BEDOUBLE:
449 case FILE_LEDOUBLE:
450 - if (nbytes < (offset + 8))
451 + if (OFFSET_OOB(nbytes, offset, 8))
452 return 0;
453 break;
454
455 case FILE_STRING:
456 case FILE_PSTRING:
457 case FILE_SEARCH:
458 - if (nbytes < (offset + m->vallen))
459 + if (OFFSET_OOB(nbytes, offset, m->vallen))
460 return 0;
461 break;
462
463 case FILE_REGEX:
464 - if (nbytes < offset)
465 + if (nbytes < offset)
466 return 0;
467 break;
468
469 @@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s,
470 if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
471 file_printf(ms, m->desc) == -1)
472 return -1;
473 - if (nbytes < offset)
474 + if (nbytes < offset)
475 return 0;
476 return file_softmagic(ms, s + offset, nbytes - offset,
477 BINTEST);
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed