From 5bcc027a228bc8cde55ba73f7b256877bf302381 Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Tue, 18 Feb 2014 09:32:40 +0100
Subject: [PATCH] fix #1065837 - fix for CVE-2014-1943

---
 file-5.14-CVE-2014-1943.patch | 88 +++++++++++++++++++++++++++++++++++
 file.spec                     |  7 ++-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 file-5.14-CVE-2014-1943.patch

diff --git a/file-5.14-CVE-2014-1943.patch b/file-5.14-CVE-2014-1943.patch
new file mode 100644
index 0000000..9e0cc06
--- /dev/null
+++ b/file-5.14-CVE-2014-1943.patch
@@ -0,0 +1,88 @@
+diff --git a/src/ascmagic.c b/src/ascmagic.c
+index 9f1456a..6dda702 100644
+--- a/src/ascmagic.c
++++ b/src/ascmagic.c
+@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
+ 		    == NULL)
+ 			goto done;
+ 		if ((rv = file_softmagic(ms, utf8_buf,
+-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
++		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
+ 			rv = -1;
+ 	}
+ 
+diff --git a/src/file.h b/src/file.h
+index 2b64399..d1bd332 100644
+--- a/src/file.h
++++ b/src/file.h
+@@ -438,7 +438,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
+     unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+-    int, int);
++    size_t, int, int);
+ protected int file_apprentice(struct magic_set *, const char *, int);
+ protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+diff --git a/src/funcs.c b/src/funcs.c
+index 4641c8b..e902c15 100644
+--- a/src/funcs.c
++++ b/src/funcs.c
+@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((unu
+ 
+ 	/* try soft magic tests */
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
++		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
+ 		    looks_text)) != 0) {
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
+diff --git a/src/softmagic.c b/src/softmagic.c
+index 108d419..ee4b831 100644
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -41,6 +41,7 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.165 2013/03/07 02:22:24 christos Exp $")
+ #include <stdlib.h>
+ #include <time.h>
+ 
++#define OFFSET_OOB(n, o, i)  ((n) < (o) || (i) >= ((n) - (o)))
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
+     const unsigned char *, size_t, size_t, int, int, int, int, int *, int *,
+@@ -69,7 +70,7 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
+ protected int
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+-    int mode, int text)
++    size_t level, int mode, int text)
+ {
+ 	struct mlist *ml;
+ 	int rv, printed_something = 0, need_separator = 0;
+@@ -79,7 +80,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+ 
+ 	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
+-		    text, 0, 0, &printed_something, &need_separator,
++		    text, 0, level, &printed_something, &need_separator,
+ 		    NULL)) != 0)
+ 			return rv;
+ 
+@@ -1707,14 +1708,16 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		break;
+ 
+ 	case FILE_INDIRECT:
+-		if (nbytes < offset)
++		if (offset == 0)
++			return 0;
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		sbuf = ms->o.buf;
+ 		soffset = ms->offset;
+ 		ms->o.buf = NULL;
+ 		ms->offset = 0;
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
+-		    BINTEST, text);
++		    recursion_level, BINTEST, text);
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
+ 		rbuf = ms->o.buf;
diff --git a/file.spec b/file.spec
index 8054985..53e62ca 100644
--- a/file.spec
+++ b/file.spec
@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -24,6 +24,7 @@ Patch10: file-5.14-bad-fsmagic-space.patch
 Patch11: file-5.14-no-magic.patch
 Patch12: file-5.14-journald.patch
 Patch13: file-5.14-magic_load.patch
+Patch14: file-5.14-CVE-2014-1943.patch
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -98,6 +99,7 @@ file(1) command.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
 touch -r doc/libmagic.man doc/libmagic.man_
@@ -194,6 +196,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Tue Feb 18 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-15
+- fix #1065837 - fix for CVE-2014-1943
+
 * Wed Jan 15 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-14
 - fix #1051598 - reverse the order of shebang vs. package keyword detection
   in Perl by increasing strength of all Perl patterns