]> git.pld-linux.org Git - packages/php.git/blob - php-5.3.3-CVE-2014-2270.patch
projects / packages / php.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- release 13 (by relup.sh)
[packages/php.git] / php-5.3.3-CVE-2014-2270.patch
1 diff --git a/src/softmagic.c b/src/softmagic.c
2 index 1f02fec..58a1cf7 100644
3 --- a/ext/fileinfo/libmagic/softmagic.c
4 +++ b/ext/fileinfo/libmagic/softmagic.c
5 @@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
6  private void cvt_32(union VALUETYPE *, const struct magic *);
7  private void cvt_64(union VALUETYPE *, const struct magic *);
8  
9 +#define OFFSET_OOB(n, o, i)    ((n) < (o) || (i) > ((n) - (o)))
10  /*
11   * softmagic - lookup one file in parsed, in-memory copy of database
12   * Passed the name and FILE * of one file to be typed.
13 @@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s,
14  {
15         uint32_t offset = ms->offset;
16         uint32_t count = m->str_range;
17 +       uint32_t lhs;
18         union VALUETYPE *p = &ms->ms_value;
19  
20         if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
21 @@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s,
22                 }
23                 switch (m->in_type) {
24                 case FILE_BYTE:
25 -                       if (nbytes < (offset + 1))
26 +                       if (OFFSET_OOB(nbytes, offset, 1))
27                                 return 0;
28                         if (off) {
29                                 switch (m->in_op & FILE_OPS_MASK) {
30 @@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s,
31                                 offset = ~offset;
32                         break;
33                 case FILE_BESHORT:
34 -                       if (nbytes < (offset + 2))
35 +                       if (OFFSET_OOB(nbytes, offset, 2))
36                                 return 0;
37 +                       lhs = (p->hs[0] << 8) | p->hs[1];
38                         if (off) {
39                                 switch (m->in_op & FILE_OPS_MASK) {
40                                 case FILE_OPAND:
41 -                                       offset = (short)((p->hs[0]<<8)|
42 -                                                        (p->hs[1])) &
43 -                                                off;
44 +                                       offset = lhs & off;
45                                         break;
46                                 case FILE_OPOR:
47 -                                       offset = (short)((p->hs[0]<<8)|
48 -                                                        (p->hs[1])) |
49 -                                                off;
50 +                                       offset = lhs | off;
51                                         break;
52                                 case FILE_OPXOR:
53 -                                       offset = (short)((p->hs[0]<<8)|
54 -                                                        (p->hs[1])) ^
55 -                                                off;
56 +                                       offset = lhs ^ off;
57                                         break;
58                                 case FILE_OPADD:
59 -                                       offset = (short)((p->hs[0]<<8)|
60 -                                                        (p->hs[1])) +
61 -                                                off;
62 +                                       offset = lhs + off;
63                                         break;
64                                 case FILE_OPMINUS:
65 -                                       offset = (short)((p->hs[0]<<8)|
66 -                                                        (p->hs[1])) -
67 -                                                off;
68 +                                       offset = lhs - off;
69                                         break;
70                                 case FILE_OPMULTIPLY:
71 -                                       offset = (short)((p->hs[0]<<8)|
72 -                                                        (p->hs[1])) *
73 -                                                off;
74 +                                       offset = lhs * off;
75                                         break;
76                                 case FILE_OPDIVIDE:
77 -                                       offset = (short)((p->hs[0]<<8)|
78 -                                                        (p->hs[1])) /
79 -                                                off;
80 +                                       offset = lhs / off;
81                                         break;
82                                 case FILE_OPMODULO:
83 -                                       offset = (short)((p->hs[0]<<8)|
84 -                                                        (p->hs[1])) %
85 -                                                off;
86 +                                       offset = lhs % off;
87                                         break;
88                                 }
89                         } else
90 -                               offset = (short)((p->hs[0]<<8)|
91 -                                                (p->hs[1]));
92 +                               offset = lhs;
93                         if (m->in_op & FILE_OPINVERSE)
94                                 offset = ~offset;
95                         break;
96                 case FILE_LESHORT:
97 -                       if (nbytes < (offset + 2))
98 +                       if (OFFSET_OOB(nbytes, offset, 2))
99                                 return 0;
100 +                       lhs = (p->hs[1] << 8) | p->hs[0];
101                         if (off) {
102                                 switch (m->in_op & FILE_OPS_MASK) {
103                                 case FILE_OPAND:
104 -                                       offset = (short)((p->hs[1]<<8)|
105 -                                                        (p->hs[0])) &
106 -                                                off;
107 +                                       offset = lhs & off;
108                                         break;
109                                 case FILE_OPOR:
110 -                                       offset = (short)((p->hs[1]<<8)|
111 -                                                        (p->hs[0])) |
112 -                                                off;
113 +                                       offset = lhs | off;
114                                         break;
115                                 case FILE_OPXOR:
116 -                                       offset = (short)((p->hs[1]<<8)|
117 -                                                        (p->hs[0])) ^
118 -                                                off;
119 +                                       offset = lhs ^ off;
120                                         break;
121                                 case FILE_OPADD:
122 -                                       offset = (short)((p->hs[1]<<8)|
123 -                                                        (p->hs[0])) +
124 -                                                off;
125 +                                       offset = lhs + off;
126                                         break;
127                                 case FILE_OPMINUS:
128 -                                       offset = (short)((p->hs[1]<<8)|
129 -                                                        (p->hs[0])) -
130 -                                                off;
131 +                                       offset = lhs - off;
132                                         break;
133                                 case FILE_OPMULTIPLY:
134 -                                       offset = (short)((p->hs[1]<<8)|
135 -                                                        (p->hs[0])) *
136 -                                                off;
137 +                                       offset = lhs * off;
138                                         break;
139                                 case FILE_OPDIVIDE:
140 -                                       offset = (short)((p->hs[1]<<8)|
141 -                                                        (p->hs[0])) /
142 -                                                off;
143 +                                       offset = lhs / off;
144                                         break;
145                                 case FILE_OPMODULO:
146 -                                       offset = (short)((p->hs[1]<<8)|
147 -                                                        (p->hs[0])) %
148 -                                                off;
149 +                                       offset = lhs % off;
150                                         break;
151                                 }
152                         } else
153 -                               offset = (short)((p->hs[1]<<8)|
154 -                                                (p->hs[0]));
155 +                               offset = lhs;
156                         if (m->in_op & FILE_OPINVERSE)
157                                 offset = ~offset;
158                         break;
159                 case FILE_SHORT:
160 -                       if (nbytes < (offset + 2))
161 +                       if (OFFSET_OOB(nbytes, offset, 2))
162                                 return 0;
163                         if (off) {
164                                 switch (m->in_op & FILE_OPS_MASK) {
165 @@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s,
166                         break;
167                 case FILE_BELONG:
168                 case FILE_BEID3:
169 -                       if (nbytes < (offset + 4))
170 +                       if (OFFSET_OOB(nbytes, offset, 4))
171                                 return 0;
172 +                       lhs = (p->hl[0] << 24) | (p->hl[1] << 16) |
173 +                           (p->hl[2] << 8) | p->hl[3];
174                         if (off) {
175                                 switch (m->in_op & FILE_OPS_MASK) {
176                                 case FILE_OPAND:
177 -                                       offset = (int32_t)((p->hl[0]<<24)|
178 -                                                        (p->hl[1]<<16)|
179 -                                                        (p->hl[2]<<8)|
180 -                                                        (p->hl[3])) &
181 -                                                off;
182 +                                       offset = lhs & off;
183                                         break;
184                                 case FILE_OPOR:
185 -                                       offset = (int32_t)((p->hl[0]<<24)|
186 -                                                        (p->hl[1]<<16)|
187 -                                                        (p->hl[2]<<8)|
188 -                                                        (p->hl[3])) |
189 -                                                off;
190 +                                       offset = lhs | off;
191                                         break;
192                                 case FILE_OPXOR:
193 -                                       offset = (int32_t)((p->hl[0]<<24)|
194 -                                                        (p->hl[1]<<16)|
195 -                                                        (p->hl[2]<<8)|
196 -                                                        (p->hl[3])) ^
197 -                                                off;
198 +                                       offset = lhs ^ off;
199                                         break;
200                                 case FILE_OPADD:
201 -                                       offset = (int32_t)((p->hl[0]<<24)|
202 -                                                        (p->hl[1]<<16)|
203 -                                                        (p->hl[2]<<8)|
204 -                                                        (p->hl[3])) +
205 -                                                off;
206 +                                       offset = lhs + off;
207                                         break;
208                                 case FILE_OPMINUS:
209 -                                       offset = (int32_t)((p->hl[0]<<24)|
210 -                                                        (p->hl[1]<<16)|
211 -                                                        (p->hl[2]<<8)|
212 -                                                        (p->hl[3])) -
213 -                                                off;
214 +                                       offset = lhs - off;
215                                         break;
216                                 case FILE_OPMULTIPLY:
217 -                                       offset = (int32_t)((p->hl[0]<<24)|
218 -                                                        (p->hl[1]<<16)|
219 -                                                        (p->hl[2]<<8)|
220 -                                                        (p->hl[3])) *
221 -                                                off;
222 +                                       offset = lhs * off;
223                                         break;
224                                 case FILE_OPDIVIDE:
225 -                                       offset = (int32_t)((p->hl[0]<<24)|
226 -                                                        (p->hl[1]<<16)|
227 -                                                        (p->hl[2]<<8)|
228 -                                                        (p->hl[3])) /
229 -                                                off;
230 +                                       offset = lhs / off;
231                                         break;
232                                 case FILE_OPMODULO:
233 -                                       offset = (int32_t)((p->hl[0]<<24)|
234 -                                                        (p->hl[1]<<16)|
235 -                                                        (p->hl[2]<<8)|
236 -                                                        (p->hl[3])) %
237 -                                                off;
238 +                                       offset = lhs % off;
239                                         break;
240                                 }
241                         } else
242 -                               offset = (int32_t)((p->hl[0]<<24)|
243 -                                                (p->hl[1]<<16)|
244 -                                                (p->hl[2]<<8)|
245 -                                                (p->hl[3]));
246 +                               offset = lhs;
247                         if (m->in_op & FILE_OPINVERSE)
248                                 offset = ~offset;
249                         break;
250                 case FILE_LELONG:
251                 case FILE_LEID3:
252 -                       if (nbytes < (offset + 4))
253 +                       if (OFFSET_OOB(nbytes, offset, 4))
254                                 return 0;
255 +                       lhs = (p->hl[3] << 24) | (p->hl[2] << 16) |
256 +                           (p->hl[1] << 8) | p->hl[0];
257                         if (off) {
258                                 switch (m->in_op & FILE_OPS_MASK) {
259                                 case FILE_OPAND:
260 -                                       offset = (int32_t)((p->hl[3]<<24)|
261 -                                                        (p->hl[2]<<16)|
262 -                                                        (p->hl[1]<<8)|
263 -                                                        (p->hl[0])) &
264 -                                                off;
265 +                                       offset = lhs & off;
266                                         break;
267                                 case FILE_OPOR:
268 -                                       offset = (int32_t)((p->hl[3]<<24)|
269 -                                                        (p->hl[2]<<16)|
270 -                                                        (p->hl[1]<<8)|
271 -                                                        (p->hl[0])) |
272 -                                                off;
273 +                                       offset = lhs | off;
274                                         break;
275                                 case FILE_OPXOR:
276 -                                       offset = (int32_t)((p->hl[3]<<24)|
277 -                                                        (p->hl[2]<<16)|
278 -                                                        (p->hl[1]<<8)|
279 -                                                        (p->hl[0])) ^
280 -                                                off;
281 +                                       offset = lhs ^ off;
282                                         break;
283                                 case FILE_OPADD:
284 -                                       offset = (int32_t)((p->hl[3]<<24)|
285 -                                                        (p->hl[2]<<16)|
286 -                                                        (p->hl[1]<<8)|
287 -                                                        (p->hl[0])) +
288 -                                                off;
289 +                                       offset = lhs + off;
290                                         break;
291                                 case FILE_OPMINUS:
292 -                                       offset = (int32_t)((p->hl[3]<<24)|
293 -                                                        (p->hl[2]<<16)|
294 -                                                        (p->hl[1]<<8)|
295 -                                                        (p->hl[0])) -
296 -                                                off;
297 +                                       offset = lhs - off;
298                                         break;
299                                 case FILE_OPMULTIPLY:
300 -                                       offset = (int32_t)((p->hl[3]<<24)|
301 -                                                        (p->hl[2]<<16)|
302 -                                                        (p->hl[1]<<8)|
303 -                                                        (p->hl[0])) *
304 -                                                off;
305 +                                       offset = lhs * off;
306                                         break;
307                                 case FILE_OPDIVIDE:
308 -                                       offset = (int32_t)((p->hl[3]<<24)|
309 -                                                        (p->hl[2]<<16)|
310 -                                                        (p->hl[1]<<8)|
311 -                                                        (p->hl[0])) /
312 -                                                off;
313 +                                       offset = lhs / off;
314                                         break;
315                                 case FILE_OPMODULO:
316 -                                       offset = (int32_t)((p->hl[3]<<24)|
317 -                                                        (p->hl[2]<<16)|
318 -                                                        (p->hl[1]<<8)|
319 -                                                        (p->hl[0])) %
320 -                                                off;
321 +                                       offset = lhs % off;
322                                         break;
323                                 }
324                         } else
325 -                               offset = (int32_t)((p->hl[3]<<24)|
326 -                                                (p->hl[2]<<16)|
327 -                                                (p->hl[1]<<8)|
328 -                                                (p->hl[0]));
329 +                               offset = lhs;
330                         if (m->in_op & FILE_OPINVERSE)
331                                 offset = ~offset;
332                         break;
333                 case FILE_MELONG:
334 -                       if (nbytes < (offset + 4))
335 +                       if (OFFSET_OOB(nbytes, offset, 4))
336                                 return 0;
337 +                       lhs = (p->hl[1] << 24) | (p->hl[0] << 16) |
338 +                           (p->hl[3] << 8) | p->hl[2];
339                         if (off) {
340                                 switch (m->in_op & FILE_OPS_MASK) {
341                                 case FILE_OPAND:
342 -                                       offset = (int32_t)((p->hl[1]<<24)|
343 -                                                        (p->hl[0]<<16)|
344 -                                                        (p->hl[3]<<8)|
345 -                                                        (p->hl[2])) &
346 -                                                off;
347 +                                       offset = lhs & off;
348                                         break;
349                                 case FILE_OPOR:
350 -                                       offset = (int32_t)((p->hl[1]<<24)|
351 -                                                        (p->hl[0]<<16)|
352 -                                                        (p->hl[3]<<8)|
353 -                                                        (p->hl[2])) |
354 -                                                off;
355 +                                       offset = lhs | off;
356                                         break;
357                                 case FILE_OPXOR:
358 -                                       offset = (int32_t)((p->hl[1]<<24)|
359 -                                                        (p->hl[0]<<16)|
360 -                                                        (p->hl[3]<<8)|
361 -                                                        (p->hl[2])) ^
362 -                                                off;
363 +                                       offset = lhs ^ off;
364                                         break;
365                                 case FILE_OPADD:
366 -                                       offset = (int32_t)((p->hl[1]<<24)|
367 -                                                        (p->hl[0]<<16)|
368 -                                                        (p->hl[3]<<8)|
369 -                                                        (p->hl[2])) +
370 -                                                off;
371 +                                       offset = lhs + off;
372                                         break;
373                                 case FILE_OPMINUS:
374 -                                       offset = (int32_t)((p->hl[1]<<24)|
375 -                                                        (p->hl[0]<<16)|
376 -                                                        (p->hl[3]<<8)|
377 -                                                        (p->hl[2])) -
378 -                                                off;
379 +                                       offset = lhs - off;
380                                         break;
381                                 case FILE_OPMULTIPLY:
382 -                                       offset = (int32_t)((p->hl[1]<<24)|
383 -                                                        (p->hl[0]<<16)|
384 -                                                        (p->hl[3]<<8)|
385 -                                                        (p->hl[2])) *
386 -                                                off;
387 +                                       offset = lhs * off;
388                                         break;
389                                 case FILE_OPDIVIDE:
390 -                                       offset = (int32_t)((p->hl[1]<<24)|
391 -                                                        (p->hl[0]<<16)|
392 -                                                        (p->hl[3]<<8)|
393 -                                                        (p->hl[2])) /
394 -                                                off;
395 +                                       offset = lhs / off;
396                                         break;
397                                 case FILE_OPMODULO:
398 -                                       offset = (int32_t)((p->hl[1]<<24)|
399 -                                                        (p->hl[0]<<16)|
400 -                                                        (p->hl[3]<<8)|
401 -                                                        (p->hl[2])) %
402 -                                                off;
403 +                                       offset = lhs % off;
404                                         break;
405                                 }
406                         } else
407 -                               offset = (int32_t)((p->hl[1]<<24)|
408 -                                                (p->hl[0]<<16)|
409 -                                                (p->hl[3]<<8)|
410 -                                                (p->hl[2]));
411 +                               offset = lhs;
412                         if (m->in_op & FILE_OPINVERSE)
413                                 offset = ~offset;
414                         break;
415                 case FILE_LONG:
416 -                       if (nbytes < (offset + 4))
417 +                       if (OFFSET_OOB(nbytes, offset, 4))
418                                 return 0;
419                         if (off) {
420                                 switch (m->in_op & FILE_OPS_MASK) {
421 @@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s,
422         /* Verify we have enough data to match magic type */
423         switch (m->type) {
424         case FILE_BYTE:
425 -               if (nbytes < (offset + 1)) /* should alway be true */
426 +               if (OFFSET_OOB(nbytes, offset, 1))
427                         return 0;
428                 break;
429  
430         case FILE_SHORT:
431         case FILE_BESHORT:
432         case FILE_LESHORT:
433 -               if (nbytes < (offset + 2))
434 +               if (OFFSET_OOB(nbytes, offset, 2))
435                         return 0;
436                 break;
437  
438 @@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s,
439         case FILE_FLOAT:
440         case FILE_BEFLOAT:
441         case FILE_LEFLOAT:
442 -               if (nbytes < (offset + 4))
443 +               if (OFFSET_OOB(nbytes, offset, 4))
444                         return 0;
445                 break;
446  
447         case FILE_DOUBLE:
448         case FILE_BEDOUBLE:
449         case FILE_LEDOUBLE:
450 -               if (nbytes < (offset + 8))
451 +               if (OFFSET_OOB(nbytes, offset, 8))
452                         return 0;
453                 break;
454  
455         case FILE_STRING:
456         case FILE_PSTRING:
457         case FILE_SEARCH:
458 -               if (nbytes < (offset + m->vallen))
459 +               if (OFFSET_OOB(nbytes, offset, m->vallen))
460                         return 0;
461                 break;
462  
463         case FILE_REGEX:
464 -               if (nbytes < offset)
465 +               if (nbytes < offset)
466                         return 0;
467                 break;
468  
469 @@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s,
470                 if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
471                     file_printf(ms, m->desc) == -1)
472                         return -1;
473 -               if (nbytes < offset)
474 +               if (nbytes < offset)
475                         return 0;
476                 return file_softmagic(ms, s + offset, nbytes - offset,
477                     BINTEST);
PHP: Hypertext Preprocessor
This page took 0.135182 seconds and 3 git commands to generate.