From: Christoph M. Becker Date: Mon, 2 Mar 2020 14:26:59 +0000 (+0100) Subject: Fix #79283: Segfault in libmagic patch contains a buffer overflow X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7702b693b5a40af433797cbbe80f7f9f504a468a;p=php Fix #79283: Segfault in libmagic patch contains a buffer overflow To solve this, we properly calculate the required string length upfront instead of allocating an oversized string (`len * 4 + 4`). --- diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch index c3669d9d6e..c4728b94f8 100644 --- a/ext/fileinfo/libmagic.patch +++ b/ext/fileinfo/libmagic.patch @@ -1,6 +1,6 @@ diff -u libmagic.orig/apprentice.c libmagic/apprentice.c --- libmagic.orig/apprentice.c 2019-02-20 03:35:27.000000000 +0100 -+++ libmagic/apprentice.c 2020-03-02 15:04:23.670412600 +0100 ++++ libmagic/apprentice.c 2020-02-27 11:45:38.445854000 +0100 @@ -29,6 +29,8 @@ * apprentice - make one pass through /etc/magic, learning its secrets. */ @@ -974,7 +974,7 @@ diff -u libmagic.orig/apprentice.c libmagic/apprentice.c } diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c --- libmagic.orig/ascmagic.c 2019-05-07 04:27:11.000000000 +0200 -+++ libmagic/ascmagic.c 2020-03-02 15:04:23.671413500 +0100 ++++ libmagic/ascmagic.c 2020-02-26 23:18:22.605400700 +0100 @@ -96,7 +96,7 @@ rv = file_ascmagic_with_encoding(ms, &bb, ubuf, ulen, code, type, text); @@ -1005,7 +1005,7 @@ diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c } diff -u libmagic.orig/buffer.c libmagic/buffer.c --- libmagic.orig/buffer.c 2019-05-07 04:27:11.000000000 +0200 -+++ libmagic/buffer.c 2020-03-02 15:04:23.672412500 +0100 ++++ libmagic/buffer.c 2020-02-27 11:45:38.445854000 +0100 @@ -31,19 +31,23 @@ #endif /* lint */ @@ -1062,7 +1062,7 @@ diff -u libmagic.orig/buffer.c libmagic/buffer.c diff -u libmagic.orig/cdf.c libmagic/cdf.c --- libmagic.orig/cdf.c 2019-02-20 03:35:27.000000000 +0100 -+++ libmagic/cdf.c 2020-03-02 15:04:23.674415200 +0100 ++++ libmagic/cdf.c 2020-02-27 11:45:38.445854000 +0100 @@ -43,7 +43,17 @@ #include #endif @@ -1341,7 +1341,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c #endif diff -u libmagic.orig/cdf.h libmagic/cdf.h --- libmagic.orig/cdf.h 2019-02-20 02:24:19.000000000 +0100 -+++ libmagic/cdf.h 2020-03-02 15:04:23.675416900 +0100 ++++ libmagic/cdf.h 2020-02-27 11:45:38.445854000 +0100 @@ -35,10 +35,10 @@ #ifndef _H_CDF_ #define _H_CDF_ @@ -1366,7 +1366,7 @@ diff -u libmagic.orig/cdf.h libmagic/cdf.h #define CDF_SECID_FREE -1 diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c --- libmagic.orig/cdf_time.c 2019-03-12 21:43:05.000000000 +0100 -+++ libmagic/cdf_time.c 2020-03-02 15:04:23.676413000 +0100 ++++ libmagic/cdf_time.c 2020-02-26 23:18:22.611402900 +0100 @@ -23,6 +23,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. @@ -1395,7 +1395,7 @@ diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c (void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n", diff -u libmagic.orig/compress.c libmagic/compress.c --- libmagic.orig/compress.c 2019-05-07 04:27:11.000000000 +0200 -+++ libmagic/compress.c 2020-03-02 15:04:23.676413000 +0100 ++++ libmagic/compress.c 2020-02-27 11:45:38.445854000 +0100 @@ -45,13 +45,11 @@ #endif #include @@ -1545,7 +1545,7 @@ diff -u libmagic.orig/compress.c libmagic/compress.c +#endif diff -u libmagic.orig/der.c libmagic/der.c --- libmagic.orig/der.c 2019-02-20 03:35:27.000000000 +0100 -+++ libmagic/der.c 2020-03-02 15:04:23.677412900 +0100 ++++ libmagic/der.c 2020-02-27 11:45:38.445854000 +0100 @@ -51,7 +51,9 @@ #include "magic.h" #include "der.h" @@ -1575,7 +1575,7 @@ diff -u libmagic.orig/der.c libmagic/der.c snprintf(buf + z, blen - z, "%.2x", d[i]); diff -u libmagic.orig/elfclass.h libmagic/elfclass.h --- libmagic.orig/elfclass.h 2019-02-20 02:30:19.000000000 +0100 -+++ libmagic/elfclass.h 2020-03-02 15:04:23.679414300 +0100 ++++ libmagic/elfclass.h 2020-02-26 23:18:22.613401700 +0100 @@ -41,7 +41,7 @@ return toomany(ms, "program headers", phnum); flags |= FLAGS_IS_CORE; @@ -1605,7 +1605,7 @@ diff -u libmagic.orig/elfclass.h libmagic/elfclass.h CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)), diff -u libmagic.orig/encoding.c libmagic/encoding.c --- libmagic.orig/encoding.c 2019-04-15 18:48:41.000000000 +0200 -+++ libmagic/encoding.c 2020-03-02 15:04:23.680413600 +0100 ++++ libmagic/encoding.c 2020-02-26 23:18:22.614402300 +0100 @@ -89,13 +89,13 @@ *code_mime = "binary"; @@ -1636,7 +1636,7 @@ diff -u libmagic.orig/encoding.c libmagic/encoding.c } diff -u libmagic.orig/file.h libmagic/file.h --- libmagic.orig/file.h 2019-05-07 04:27:11.000000000 +0200 -+++ libmagic/file.h 2020-03-02 15:04:23.682414300 +0100 ++++ libmagic/file.h 2020-02-27 11:45:38.445854000 +0100 @@ -33,18 +33,9 @@ #ifndef __file_h__ #define __file_h__ @@ -1923,7 +1923,7 @@ diff -u libmagic.orig/file.h libmagic/file.h #endif diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c --- libmagic.orig/fsmagic.c 2019-05-07 04:26:48.000000000 +0200 -+++ libmagic/fsmagic.c 2020-03-02 15:04:23.683417500 +0100 ++++ libmagic/fsmagic.c 2020-02-26 23:18:22.616403500 +0100 @@ -66,26 +66,10 @@ # define minor(dev) ((dev) & 0xff) #endif @@ -2216,7 +2216,7 @@ diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c case S_IFSOCK: diff -u libmagic.orig/funcs.c libmagic/funcs.c --- libmagic.orig/funcs.c 2019-05-07 04:27:11.000000000 +0200 -+++ libmagic/funcs.c 2020-03-02 15:04:23.684415800 +0100 ++++ libmagic/funcs.c 2020-02-27 11:45:38.445854000 +0100 @@ -31,7 +31,6 @@ #endif /* lint */ @@ -2572,7 +2572,7 @@ diff -u libmagic.orig/funcs.c libmagic/funcs.c diff -u libmagic.orig/magic.c libmagic/magic.c --- libmagic.orig/magic.c 2019-05-07 04:27:11.000000000 +0200 -+++ libmagic/magic.c 2020-03-02 15:04:23.686413600 +0100 ++++ libmagic/magic.c 2020-02-26 23:18:22.621402800 +0100 @@ -25,11 +25,6 @@ * SUCH DAMAGE. */ @@ -3036,8 +3036,8 @@ diff -u libmagic.orig/magic.c libmagic/magic.c public const char * magic_error(struct magic_set *ms) diff -u libmagic.orig/magic.h libmagic/magic.h ---- libmagic.orig/magic.h 2020-03-02 15:06:39.235737800 +0100 -+++ libmagic/magic.h 2020-03-02 15:04:23.686413600 +0100 +--- libmagic.orig/magic.h 2020-03-02 15:24:27.253951700 +0100 ++++ libmagic/magic.h 2020-02-26 23:18:22.622402300 +0100 @@ -124,6 +124,7 @@ const char *magic_getpath(const char *, int); @@ -3048,7 +3048,7 @@ diff -u libmagic.orig/magic.h libmagic/magic.h diff -u libmagic.orig/print.c libmagic/print.c --- libmagic.orig/print.c 2019-03-12 21:43:05.000000000 +0100 -+++ libmagic/print.c 2020-03-02 15:04:23.688414000 +0100 ++++ libmagic/print.c 2020-02-26 23:18:22.625401800 +0100 @@ -28,6 +28,7 @@ /* * print.c - debugging printout routines @@ -3122,7 +3122,7 @@ diff -u libmagic.orig/print.c libmagic/print.c goto out; diff -u libmagic.orig/readcdf.c libmagic/readcdf.c --- libmagic.orig/readcdf.c 2019-03-12 21:43:05.000000000 +0100 -+++ libmagic/readcdf.c 2020-03-02 15:04:23.689414500 +0100 ++++ libmagic/readcdf.c 2020-02-27 11:45:38.445854000 +0100 @@ -31,7 +31,11 @@ #include @@ -3241,7 +3241,7 @@ diff -u libmagic.orig/readcdf.c libmagic/readcdf.c if (i != -1) diff -u libmagic.orig/softmagic.c libmagic/softmagic.c --- libmagic.orig/softmagic.c 2019-05-17 04:24:59.000000000 +0200 -+++ libmagic/softmagic.c 2020-03-02 15:04:23.690413500 +0100 ++++ libmagic/softmagic.c 2020-03-02 15:23:10.176763300 +0100 @@ -43,6 +43,10 @@ #include #include "der.h" @@ -3414,18 +3414,32 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c return rv; case FILE_USE: -@@ -1926,6 +1904,47 @@ +@@ -1926,6 +1904,61 @@ return file_strncmp(a, b, len, flags); } +public void +convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options) +{ -+ int i, j=0; ++ int i, j; + zend_string *t; + -+ t = zend_string_alloc(len * 2 + 4, 0); ++ for (i = j = 0; i < len; i++) { ++ switch (val[i]) { ++ case '~': ++ j += 2; ++ break; ++ case '\0': ++ j += 4; ++ break; ++ default: ++ j++; ++ break; ++ } ++ } ++ t = zend_string_alloc(j + 4, 0); + ++ j = 0; + ZSTR_VAL(t)[j++] = '~'; + + for (i = 0; i < len; i++, j++) { @@ -3462,7 +3476,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c private int magiccheck(struct magic_set *ms, struct magic *m) { -@@ -2104,65 +2123,77 @@ +@@ -2104,65 +2137,77 @@ break; } case FILE_REGEX: { @@ -3594,7 +3608,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c case FILE_INDIRECT: diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c --- libmagic.orig/strcasestr.c 2014-09-11 17:05:33.000000000 +0200 -+++ libmagic/strcasestr.c 2019-04-02 11:56:06.853152400 +0200 ++++ libmagic/strcasestr.c 2019-11-29 08:49:38.434136600 +0100 @@ -39,6 +39,8 @@ #include "file.h" diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index 2b6d764291..d71801cea5 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags) public void convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options) { - int i, j=0; + int i, j; zend_string *t; - t = zend_string_alloc(len * 2 + 4, 0); + for (i = j = 0; i < len; i++) { + switch (val[i]) { + case '~': + j += 2; + break; + case '\0': + j += 4; + break; + default: + j++; + break; + } + } + t = zend_string_alloc(j + 4, 0); + j = 0; ZSTR_VAL(t)[j++] = '~'; for (i = 0; i < len; i++, j++) { diff --git a/ext/fileinfo/tests/bug79283.phpt b/ext/fileinfo/tests/bug79283.phpt new file mode 100644 index 0000000000..b32351bfb8 --- /dev/null +++ b/ext/fileinfo/tests/bug79283.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #79283 (Segfault in libmagic patch contains a buffer overflow) +--SKIPIF-- + +--FILE-- +buffer("buffer\n")); +?> +--CLEAN-- + +--EXPECT-- +string(10) "ASCII text"