- fileinfo: fix insufficient boundary check

- workaround regression introduce in fix for 67072 in serialize/unzerialize functions
2014-06-03 14:12:58 +02:00 · 2014-06-03 14:12:58 +02:00 · dbadc12a0c
commit dbadc12a0c
parent 2ed3313e58
3 changed files with 69 additions and 1 deletions
--- a/php-bug67326.patch
+++ b/php-bug67326.patch
@ -0,0 +1,32 @@
 From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001
 From: Remi Collet <remi@php.net>
 Date: Tue, 3 Jun 2014 11:05:00 +0200
 Subject: [PATCH] Fix bug #67326	fileinfo: cdf_read_short_sector insufficient
 boundary check
 Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
 Only revelant part applied
 ---
 ext/fileinfo/libmagic/cdf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
 index 4712e84..16649f1 100644
 --- a/ext/fileinfo/libmagic/cdf.c
 +++ b/ext/fileinfo/libmagic/cdf.c
@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
 	size_t ss = CDF_SHORT_SEC_SIZE(h);
 	size_t pos = CDF_SHORT_SEC_POS(h, id);
 	assert(ss == len);
 -	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
 +	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
 		    SIZE_T_FORMAT "u\n",
 -		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
 +		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
 		return -1;
 	}
 	(void)memcpy(((char *)buf) + offs,
 -- 
 1.9.2
--- a/php-reg67072.patch
+++ b/php-reg67072.patch
@ -0,0 +1,26 @@
 diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
 index 003bac9..ed6a69c 100644
 --- a/ext/standard/var_unserializer.c
 +++ b/ext/standard/var_unserializer.c
@@ -396,7 +396,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 	(*p) += 2;
 -	if (ce->serialize == NULL) {
 +	if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
 		object_init_ex(*rval, ce);
 	} else {
 		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
 diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
 index b3f5d29..b5f092b 100644
 --- a/ext/standard/var_unserializer.re
 +++ b/ext/standard/var_unserializer.re
@@ -400,7 +400,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 	(*p) += 2;
 -	if (ce->serialize == NULL) {
 +	if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
 		object_init_ex(*rval, ce);
 	} else {
 		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
--- a/php.spec
+++ b/php.spec
@ -69,7 +69,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.5.13
-Release: 1%{?dist}
+Release: 2%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@ -121,6 +121,8 @@ Patch46: php-5.4.9-fixheader.patch
 Patch47: php-5.4.9-phpinfo.patch
 # Upstream fixes (100+)
 Patch100: php-reg67072.patch
 Patch101: php-bug67326.patch
 # Security fixes (200+)
@ -728,6 +730,9 @@ support for using the enchant library to PHP.
 %patch46 -p1 -b .fixheader
 %patch47 -p1 -b .phpinfo
 %patch100 -p1 -b .reg67072
 %patch101 -p1 -b .bug67326
 %if 0%{?fedora} < 21
 # Only revert when system libpcre < 8.34
 %patch301 -p1 -R -b .pcre84
@ -1550,6 +1555,11 @@ exit 0
 %changelog
 * Tue Jun  3 2014 Remi Collet <remi@fedoraproject.org> 5.5.13-2
 - fileinfo: fix insufficient boundary check
 - workaround regression introduce in fix for 67072 in
  serialize/unzerialize functions
 * Fri May 30 2014 Remi Collet <rcollet@redhat.com> 5.5.13-1
 - Update to 5.5.13
  http://www.php.net/releases/5_5_13.php