summaryrefslogtreecommitdiffstats
path: root/php-5.5.6-CVE-2014-2270.patch
diff options
context:
space:
mode:
Diffstat (limited to 'php-5.5.6-CVE-2014-2270.patch')
-rw-r--r--php-5.5.6-CVE-2014-2270.patch168
1 files changed, 0 insertions, 168 deletions
diff --git a/php-5.5.6-CVE-2014-2270.patch b/php-5.5.6-CVE-2014-2270.patch
deleted file mode 100644
index 52d9994..0000000
--- a/php-5.5.6-CVE-2014-2270.patch
+++ /dev/null
@@ -1,168 +0,0 @@
-From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@php.net>
-Date: Tue, 4 Mar 2014 20:32:52 +0100
-Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo
-
-Upstream fix:
-https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
-
-Notice, test changed, with upstream agreement:
--define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o)))
-+define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
----
- ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++----------------
- 1 file changed, 18 insertions(+), 16 deletions(-)
-
-diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
-index 82a470a..21fea6b 100644
---- a/ext/fileinfo/libmagic/softmagic.c
-+++ b/ext/fileinfo/libmagic/softmagic.c
-@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
- private void cvt_32(union VALUETYPE *, const struct magic *);
- private void cvt_64(union VALUETYPE *, const struct magic *);
-
-+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
-+
- /*
- * softmagic - lookup one file in parsed, in-memory copy of database
- * Passed the name and FILE * of one file to be typed.
-@@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- }
- switch (cvt_flip(m->in_type, flip)) {
- case FILE_BYTE:
-- if (nbytes < (offset + 1))
-+ if (OFFSET_OOB(nbytes, offset, 1))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- offset = ~offset;
- break;
- case FILE_BESHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- offset = ~offset;
- break;
- case FILE_LESHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- offset = ~offset;
- break;
- case FILE_SHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- break;
- case FILE_BELONG:
- case FILE_BEID3:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- break;
- case FILE_LELONG:
- case FILE_LEID3:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- offset = ~offset;
- break;
- case FILE_MELONG:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- offset = ~offset;
- break;
- case FILE_LONG:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1630,14 +1632,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- /* Verify we have enough data to match magic type */
- switch (m->type) {
- case FILE_BYTE:
-- if (nbytes < (offset + 1)) /* should always be true */
-+ if (OFFSET_OOB(nbytes, offset, 1))
- return 0;
- break;
-
- case FILE_SHORT:
- case FILE_BESHORT:
- case FILE_LESHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
- break;
-
-@@ -1656,33 +1658,33 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- case FILE_FLOAT:
- case FILE_BEFLOAT:
- case FILE_LEFLOAT:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- break;
-
- case FILE_DOUBLE:
- case FILE_BEDOUBLE:
- case FILE_LEDOUBLE:
-- if (nbytes < (offset + 8))
-+ if (OFFSET_OOB(nbytes, offset, 8))
- return 0;
- break;
-
- case FILE_STRING:
- case FILE_PSTRING:
- case FILE_SEARCH:
-- if (nbytes < (offset + m->vallen))
-+ if (OFFSET_OOB(nbytes, offset, m->vallen))
- return 0;
- break;
-
- case FILE_REGEX:
-- if (nbytes < offset)
-+ if (OFFSET_OOB(nbytes, offset, 0))
- return 0;
- break;
-
- case FILE_INDIRECT:
- if (offset == 0)
- return 0;
-- if (nbytes < offset)
-+ if (OFFSET_OOB(nbytes, offset, 0))
- return 0;
- sbuf = ms->o.buf;
- soffset = ms->offset;
-@@ -1716,7 +1718,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
- return rv;
-
- case FILE_USE:
-- if (nbytes < offset)
-+ if (OFFSET_OOB(nbytes, offset, 0))
- return 0;
- sbuf = m->value.s;
- if (*sbuf == '^') {
---
-1.9.2
-
generated by cgit (git 2.34.1) at 2024-05-19 07:39:06 +0000