Last active
March 2, 2020 14:27
-
-
Save cmb69/3e2837fb4051f812bb01bed401da227e to your computer and use it in GitHub Desktop.
PHP bug #79283
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 6588f72593e0433f357af8bc3b0c0aad893d29c2 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Mon, 2 Mar 2020 15:26:59 +0100 | |
Subject: [PATCH] Fix #79283: Segfault in libmagic patch contains a buffer | |
overflow | |
To solve this, we properly calculate the required string length upfront | |
instead of allocating an oversized string (`len * 4 + 4`). | |
--- | |
ext/fileinfo/libmagic.patch | 62 +++++++++++++++++++------------ | |
ext/fileinfo/libmagic/softmagic.c | 18 ++++++++- | |
ext/fileinfo/tests/bug79283.phpt | 22 +++++++++++ | |
3 files changed, 76 insertions(+), 26 deletions(-) | |
create mode 100644 ext/fileinfo/tests/bug79283.phpt | |
diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch | |
index c3669d9d6e..c4728b94f8 100644 | |
--- a/ext/fileinfo/libmagic.patch | |
+++ b/ext/fileinfo/libmagic.patch | |
@@ -1,6 +1,6 @@ | |
diff -u libmagic.orig/apprentice.c libmagic/apprentice.c | |
--- libmagic.orig/apprentice.c 2019-02-20 03:35:27.000000000 +0100 | |
-+++ libmagic/apprentice.c 2020-03-02 15:04:23.670412600 +0100 | |
++++ libmagic/apprentice.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -29,6 +29,8 @@ | |
* apprentice - make one pass through /etc/magic, learning its secrets. | |
*/ | |
@@ -974,7 +974,7 @@ diff -u libmagic.orig/apprentice.c libmagic/apprentice.c | |
} | |
diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c | |
--- libmagic.orig/ascmagic.c 2019-05-07 04:27:11.000000000 +0200 | |
-+++ libmagic/ascmagic.c 2020-03-02 15:04:23.671413500 +0100 | |
++++ libmagic/ascmagic.c 2020-02-26 23:18:22.605400700 +0100 | |
@@ -96,7 +96,7 @@ | |
rv = file_ascmagic_with_encoding(ms, &bb, | |
ubuf, ulen, code, type, text); | |
@@ -1005,7 +1005,7 @@ diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c | |
} | |
diff -u libmagic.orig/buffer.c libmagic/buffer.c | |
--- libmagic.orig/buffer.c 2019-05-07 04:27:11.000000000 +0200 | |
-+++ libmagic/buffer.c 2020-03-02 15:04:23.672412500 +0100 | |
++++ libmagic/buffer.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -31,19 +31,23 @@ | |
#endif /* lint */ | |
@@ -1062,7 +1062,7 @@ diff -u libmagic.orig/buffer.c libmagic/buffer.c | |
diff -u libmagic.orig/cdf.c libmagic/cdf.c | |
--- libmagic.orig/cdf.c 2019-02-20 03:35:27.000000000 +0100 | |
-+++ libmagic/cdf.c 2020-03-02 15:04:23.674415200 +0100 | |
++++ libmagic/cdf.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -43,7 +43,17 @@ | |
#include <err.h> | |
#endif | |
@@ -1341,7 +1341,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c | |
#endif | |
diff -u libmagic.orig/cdf.h libmagic/cdf.h | |
--- libmagic.orig/cdf.h 2019-02-20 02:24:19.000000000 +0100 | |
-+++ libmagic/cdf.h 2020-03-02 15:04:23.675416900 +0100 | |
++++ libmagic/cdf.h 2020-02-27 11:45:38.445854000 +0100 | |
@@ -35,10 +35,10 @@ | |
#ifndef _H_CDF_ | |
#define _H_CDF_ | |
@@ -1366,7 +1366,7 @@ diff -u libmagic.orig/cdf.h libmagic/cdf.h | |
#define CDF_SECID_FREE -1 | |
diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c | |
--- libmagic.orig/cdf_time.c 2019-03-12 21:43:05.000000000 +0100 | |
-+++ libmagic/cdf_time.c 2020-03-02 15:04:23.676413000 +0100 | |
++++ libmagic/cdf_time.c 2020-02-26 23:18:22.611402900 +0100 | |
@@ -23,6 +23,7 @@ | |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
* POSSIBILITY OF SUCH DAMAGE. | |
@@ -1395,7 +1395,7 @@ diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c | |
(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n", | |
diff -u libmagic.orig/compress.c libmagic/compress.c | |
--- libmagic.orig/compress.c 2019-05-07 04:27:11.000000000 +0200 | |
-+++ libmagic/compress.c 2020-03-02 15:04:23.676413000 +0100 | |
++++ libmagic/compress.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -45,13 +45,11 @@ | |
#endif | |
#include <string.h> | |
@@ -1545,7 +1545,7 @@ diff -u libmagic.orig/compress.c libmagic/compress.c | |
+#endif | |
diff -u libmagic.orig/der.c libmagic/der.c | |
--- libmagic.orig/der.c 2019-02-20 03:35:27.000000000 +0100 | |
-+++ libmagic/der.c 2020-03-02 15:04:23.677412900 +0100 | |
++++ libmagic/der.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -51,7 +51,9 @@ | |
#include "magic.h" | |
#include "der.h" | |
@@ -1575,7 +1575,7 @@ diff -u libmagic.orig/der.c libmagic/der.c | |
snprintf(buf + z, blen - z, "%.2x", d[i]); | |
diff -u libmagic.orig/elfclass.h libmagic/elfclass.h | |
--- libmagic.orig/elfclass.h 2019-02-20 02:30:19.000000000 +0100 | |
-+++ libmagic/elfclass.h 2020-03-02 15:04:23.679414300 +0100 | |
++++ libmagic/elfclass.h 2020-02-26 23:18:22.613401700 +0100 | |
@@ -41,7 +41,7 @@ | |
return toomany(ms, "program headers", phnum); | |
flags |= FLAGS_IS_CORE; | |
@@ -1605,7 +1605,7 @@ diff -u libmagic.orig/elfclass.h libmagic/elfclass.h | |
CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)), | |
diff -u libmagic.orig/encoding.c libmagic/encoding.c | |
--- libmagic.orig/encoding.c 2019-04-15 18:48:41.000000000 +0200 | |
-+++ libmagic/encoding.c 2020-03-02 15:04:23.680413600 +0100 | |
++++ libmagic/encoding.c 2020-02-26 23:18:22.614402300 +0100 | |
@@ -89,13 +89,13 @@ | |
*code_mime = "binary"; | |
@@ -1636,7 +1636,7 @@ diff -u libmagic.orig/encoding.c libmagic/encoding.c | |
} | |
diff -u libmagic.orig/file.h libmagic/file.h | |
--- libmagic.orig/file.h 2019-05-07 04:27:11.000000000 +0200 | |
-+++ libmagic/file.h 2020-03-02 15:04:23.682414300 +0100 | |
++++ libmagic/file.h 2020-02-27 11:45:38.445854000 +0100 | |
@@ -33,18 +33,9 @@ | |
#ifndef __file_h__ | |
#define __file_h__ | |
@@ -1923,7 +1923,7 @@ diff -u libmagic.orig/file.h libmagic/file.h | |
#endif | |
diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c | |
--- libmagic.orig/fsmagic.c 2019-05-07 04:26:48.000000000 +0200 | |
-+++ libmagic/fsmagic.c 2020-03-02 15:04:23.683417500 +0100 | |
++++ libmagic/fsmagic.c 2020-02-26 23:18:22.616403500 +0100 | |
@@ -66,26 +66,10 @@ | |
# define minor(dev) ((dev) & 0xff) | |
#endif | |
@@ -2216,7 +2216,7 @@ diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c | |
case S_IFSOCK: | |
diff -u libmagic.orig/funcs.c libmagic/funcs.c | |
--- libmagic.orig/funcs.c 2019-05-07 04:27:11.000000000 +0200 | |
-+++ libmagic/funcs.c 2020-03-02 15:04:23.684415800 +0100 | |
++++ libmagic/funcs.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -31,7 +31,6 @@ | |
#endif /* lint */ | |
@@ -2572,7 +2572,7 @@ diff -u libmagic.orig/funcs.c libmagic/funcs.c | |
diff -u libmagic.orig/magic.c libmagic/magic.c | |
--- libmagic.orig/magic.c 2019-05-07 04:27:11.000000000 +0200 | |
-+++ libmagic/magic.c 2020-03-02 15:04:23.686413600 +0100 | |
++++ libmagic/magic.c 2020-02-26 23:18:22.621402800 +0100 | |
@@ -25,11 +25,6 @@ | |
* SUCH DAMAGE. | |
*/ | |
@@ -3036,8 +3036,8 @@ diff -u libmagic.orig/magic.c libmagic/magic.c | |
public const char * | |
magic_error(struct magic_set *ms) | |
diff -u libmagic.orig/magic.h libmagic/magic.h | |
---- libmagic.orig/magic.h 2020-03-02 15:06:39.235737800 +0100 | |
-+++ libmagic/magic.h 2020-03-02 15:04:23.686413600 +0100 | |
+--- libmagic.orig/magic.h 2020-03-02 15:24:27.253951700 +0100 | |
++++ libmagic/magic.h 2020-02-26 23:18:22.622402300 +0100 | |
@@ -124,6 +124,7 @@ | |
const char *magic_getpath(const char *, int); | |
@@ -3048,7 +3048,7 @@ diff -u libmagic.orig/magic.h libmagic/magic.h | |
diff -u libmagic.orig/print.c libmagic/print.c | |
--- libmagic.orig/print.c 2019-03-12 21:43:05.000000000 +0100 | |
-+++ libmagic/print.c 2020-03-02 15:04:23.688414000 +0100 | |
++++ libmagic/print.c 2020-02-26 23:18:22.625401800 +0100 | |
@@ -28,6 +28,7 @@ | |
/* | |
* print.c - debugging printout routines | |
@@ -3122,7 +3122,7 @@ diff -u libmagic.orig/print.c libmagic/print.c | |
goto out; | |
diff -u libmagic.orig/readcdf.c libmagic/readcdf.c | |
--- libmagic.orig/readcdf.c 2019-03-12 21:43:05.000000000 +0100 | |
-+++ libmagic/readcdf.c 2020-03-02 15:04:23.689414500 +0100 | |
++++ libmagic/readcdf.c 2020-02-27 11:45:38.445854000 +0100 | |
@@ -31,7 +31,11 @@ | |
#include <assert.h> | |
@@ -3241,7 +3241,7 @@ diff -u libmagic.orig/readcdf.c libmagic/readcdf.c | |
if (i != -1) | |
diff -u libmagic.orig/softmagic.c libmagic/softmagic.c | |
--- libmagic.orig/softmagic.c 2019-05-17 04:24:59.000000000 +0200 | |
-+++ libmagic/softmagic.c 2020-03-02 15:04:23.690413500 +0100 | |
++++ libmagic/softmagic.c 2020-03-02 15:23:10.176763300 +0100 | |
@@ -43,6 +43,10 @@ | |
#include <time.h> | |
#include "der.h" | |
@@ -3414,18 +3414,32 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c | |
return rv; | |
case FILE_USE: | |
-@@ -1926,6 +1904,47 @@ | |
+@@ -1926,6 +1904,61 @@ | |
return file_strncmp(a, b, len, flags); | |
} | |
+public void | |
+convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options) | |
+{ | |
-+ int i, j=0; | |
++ int i, j; | |
+ zend_string *t; | |
+ | |
-+ t = zend_string_alloc(len * 2 + 4, 0); | |
++ for (i = j = 0; i < len; i++) { | |
++ switch (val[i]) { | |
++ case '~': | |
++ j += 2; | |
++ break; | |
++ case '\0': | |
++ j += 4; | |
++ break; | |
++ default: | |
++ j++; | |
++ break; | |
++ } | |
++ } | |
++ t = zend_string_alloc(j + 4, 0); | |
+ | |
++ j = 0; | |
+ ZSTR_VAL(t)[j++] = '~'; | |
+ | |
+ for (i = 0; i < len; i++, j++) { | |
@@ -3462,7 +3476,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c | |
private int | |
magiccheck(struct magic_set *ms, struct magic *m) | |
{ | |
-@@ -2104,65 +2123,77 @@ | |
+@@ -2104,65 +2137,77 @@ | |
break; | |
} | |
case FILE_REGEX: { | |
@@ -3594,7 +3608,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c | |
case FILE_INDIRECT: | |
diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c | |
--- libmagic.orig/strcasestr.c 2014-09-11 17:05:33.000000000 +0200 | |
-+++ libmagic/strcasestr.c 2019-04-02 11:56:06.853152400 +0200 | |
++++ libmagic/strcasestr.c 2019-11-29 08:49:38.434136600 +0100 | |
@@ -39,6 +39,8 @@ | |
#include "file.h" | |
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c | |
index 2b6d764291..d71801cea5 100644 | |
--- a/ext/fileinfo/libmagic/softmagic.c | |
+++ b/ext/fileinfo/libmagic/softmagic.c | |
@@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags) | |
public void | |
convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options) | |
{ | |
- int i, j=0; | |
+ int i, j; | |
zend_string *t; | |
- t = zend_string_alloc(len * 2 + 4, 0); | |
+ for (i = j = 0; i < len; i++) { | |
+ switch (val[i]) { | |
+ case '~': | |
+ j += 2; | |
+ break; | |
+ case '\0': | |
+ j += 4; | |
+ break; | |
+ default: | |
+ j++; | |
+ break; | |
+ } | |
+ } | |
+ t = zend_string_alloc(j + 4, 0); | |
+ j = 0; | |
ZSTR_VAL(t)[j++] = '~'; | |
for (i = 0; i < len; i++, j++) { | |
diff --git a/ext/fileinfo/tests/bug79283.phpt b/ext/fileinfo/tests/bug79283.phpt | |
new file mode 100644 | |
index 0000000000..b32351bfb8 | |
--- /dev/null | |
+++ b/ext/fileinfo/tests/bug79283.phpt | |
@@ -0,0 +1,22 @@ | |
+--TEST-- | |
+Bug #79283 (Segfault in libmagic patch contains a buffer overflow) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('fileinfo')) die('skip fileinfo extension not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+$magic_file = __DIR__ . '/bug79283.db'; | |
+file_put_contents($magic_file, " | |
+0 regex \\0\\0\\0\\0 Test | |
+"); | |
+ | |
+$finfo = new finfo(FILEINFO_NONE, $magic_file); | |
+var_dump($finfo->buffer("buffer\n")); | |
+?> | |
+--CLEAN-- | |
+<?php | |
+unlink(__DIR__ . '/bug79283.db'); | |
+?> | |
+--EXPECT-- | |
+string(10) "ASCII text" | |
-- | |
2.25.1.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment