archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Rework places in libmagic regarding previous CVE-2014-3538 fixes

Browse source 
CVE-2014-3538 was fixed upstream, but the old patch was still kept in
the PHP port. This patch causes performance regressions when PCRE JIT is
not enabled. This is fixed by applying the relevant original code from
the newer libmagic, which makes the old patch obsolete as the
CVE-2014-3538 tests still pass.
This commit is contained in:
Anatol Belski 2018-11-04 13:11:28 +01:00
parent aea411657e
commit 7f5f46013b
2 changed files with 17 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

7
ext/fileinfo/libmagic/apprentice.c
View file

@ -2567,18 +2567,19 @@ getvalue(struct magic_set *ms, struct magic *m, const char **p, int action)
return -1;
}
if (m->type == FILE_REGEX) {
/* XXX do we need this? */
/*zval pattern;
zval pattern;
int options = 0;
pcre_cache_entry *pce;
convert_libmagic_pattern(&pattern, m->value.s, strlen(m->value.s), options);
if ((pce = pcre_get_compiled_regex_cache(Z_STR(pattern))) == NULL) {
zval_dtor(&pattern);
return -1;
}
zval_dtor(&pattern);
return 0;*/
return 0;
}
return 0;
default:

29
ext/fileinfo/libmagic/softmagic.c
View file

@ -1268,28 +1268,21 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
return 0;
}
/* bytecnt checks are to be kept for PHP, see cve-2014-3538.
PCRE might get stuck if the input buffer is too big. */
if (m->str_flags & REGEX_LINE_COUNT) {
linecnt = m->str_range;
bytecnt = linecnt * 80;
if (bytecnt == 0) {
bytecnt = 1 << 14;
} else {
linecnt = 0;
bytecnt = m->str_range;
}
if (bytecnt > nbytes) {
bytecnt = nbytes;
}
if (offset > bytecnt) {
offset = bytecnt;
}
if (s == NULL) {
ms->search.s_len = 0;
ms->search.s = NULL;
return 0;
}
if (bytecnt == 0 || bytecnt > nbytes - offset)
bytecnt = nbytes - offset;
if (bytecnt > ms->regex_max)
bytecnt = ms->regex_max;
buf = RCAST(const char *, s) + offset;
end = last = RCAST(const char *, s) + bytecnt;
end = last = RCAST(const char *, s) + bytecnt + offset;
/* mget() guarantees buf <= last */
for (lines = linecnt, b = buf; lines && b < end &&
((b = CAST(const char *,
@ -1302,7 +1295,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
b++;
}
if (lines)
last = RCAST(const char *, s) + bytecnt;
last = end;
ms->search.s = buf;
ms->search.s_len = last - buf;