!99 master: fix CVE-2022-31627

From: @hugel 
Reviewed-by: @overweight 
Signed-off-by: @overweight

backport-CVE-2022-31627.patch

@@ -0,0 +1,356 @@
+From ca6d511fa54b34d5b75bf120a86482a1b9e1e686 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 30 Jun 2022 17:15:22 +0200
+Subject: [PATCH] Fix #81723: Memory corruption in finfo_buffer()
+
+We need to use the same memory allocator throughout.
+---
+ ext/fileinfo/libmagic.patch       | 112 +++++++++++++++++-------------
+ ext/fileinfo/libmagic/softmagic.c |   8 +--
+ ext/fileinfo/tests/bug81723.phpt  |  12 ++++
+ 3 files changed, 79 insertions(+), 53 deletions(-)
+ create mode 100644 ext/fileinfo/tests/bug81723.phpt
+
+diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
+index 27124692a0..3373ae4519 100644
+--- a/ext/fileinfo/libmagic.patch
++++ b/ext/fileinfo/libmagic.patch
+@@ -1,6 +1,6 @@
+-diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
++diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
+ --- libmagic.orig/apprentice.c	2021-02-23 01:51:11.000000000 +0100
+-+++ libmagic/apprentice.c	2021-04-06 21:34:57.332978922 +0200
+++++ libmagic/apprentice.c	2022-06-16 13:39:41.570984700 +0200
+ @@ -29,6 +29,8 @@
+   * apprentice - make one pass through /etc/magic, learning its secrets.
+   */
+@@ -925,9 +925,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
+  		m->str_range = swap4(m->str_range);
+  		m->str_flags = swap4(m->str_flags);
+  	}
+-diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
++diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
+ --- libmagic.orig/ascmagic.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/ascmagic.c	2021-04-06 21:34:57.332978922 +0200
+++++ libmagic/ascmagic.c	2022-06-16 13:39:41.570984700 +0200
+ @@ -96,7 +96,7 @@
+  		rv = file_ascmagic_with_encoding(ms, &bb,
+  		    ubuf, ulen, code, type, text);
+@@ -956,9 +956,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
+  
+  	return rv;
+  }
+-diff -ur libmagic.orig/buffer.c libmagic/buffer.c
++diff -u libmagic.orig/buffer.c libmagic/buffer.c
+ --- libmagic.orig/buffer.c	2021-02-23 01:49:26.000000000 +0100
+-+++ libmagic/buffer.c	2021-04-06 21:34:57.332978922 +0200
+++++ libmagic/buffer.c	2021-09-21 13:27:27.982716100 +0200
+ @@ -31,19 +31,23 @@
+  #endif	/* lint */
+  
+@@ -1012,9 +1012,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c
+  		b->ebuf = NULL;
+  		goto out;
+  	}
+-diff -ur libmagic.orig/cdf.c libmagic/cdf.c
++diff -u libmagic.orig/cdf.c libmagic/cdf.c
+ --- libmagic.orig/cdf.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/cdf.c	2021-04-06 21:34:57.332978922 +0200
+++++ libmagic/cdf.c	2021-09-21 13:27:27.983695600 +0200
+ @@ -43,7 +43,17 @@
+  #include <err.h>
+  #endif
+@@ -1247,9 +1247,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c
+  }
+  
+  #endif
+-diff -ur libmagic.orig/cdf.h libmagic/cdf.h
++diff -u libmagic.orig/cdf.h libmagic/cdf.h
+ --- libmagic.orig/cdf.h	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/cdf.h	2021-04-06 21:34:57.332978922 +0200
+++++ libmagic/cdf.h	2021-09-21 13:27:27.984674900 +0200
+ @@ -35,10 +35,10 @@
+  #ifndef _H_CDF_
+  #define _H_CDF_
+@@ -1264,9 +1264,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h
+  #endif
+  #ifdef __DJGPP__
+  #define timespec timeval
+-diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
++diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
+ --- libmagic.orig/cdf_time.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/cdf_time.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/cdf_time.c	2021-09-21 13:27:27.985654400 +0200
+ @@ -23,6 +23,7 @@
+   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+   * POSSIBILITY OF SUCH DAMAGE.
+@@ -1293,9 +1293,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
+  	if (ptr != NULL)
+  		return buf;
+  	(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
+-diff -ur libmagic.orig/compress.c libmagic/compress.c
++diff -u libmagic.orig/compress.c libmagic/compress.c
+ --- libmagic.orig/compress.c	2021-02-23 01:49:07.000000000 +0100
+-+++ libmagic/compress.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/compress.c	2022-06-16 13:39:41.586609800 +0200
+ @@ -51,7 +51,7 @@
+  #ifndef HAVE_SIG_T
+  typedef void (*sig_t)(int);
+@@ -1430,9 +1430,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c
+  }
+  #endif
+ +#endif
+-diff -ur libmagic.orig/der.c libmagic/der.c
++diff -u libmagic.orig/der.c libmagic/der.c
+ --- libmagic.orig/der.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/der.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/der.c	2022-06-16 13:39:41.586609800 +0200
+ @@ -54,7 +54,9 @@
+  #include "magic.h"
+  #include "der.h"
+@@ -1443,9 +1443,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c
+  #include <sys/stat.h>
+  #include <err.h>
+  #endif
+-diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
++diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
+ --- libmagic.orig/elfclass.h	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/elfclass.h	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/elfclass.h	2021-09-21 13:27:27.989571700 +0200
+ @@ -41,7 +41,7 @@
+  			return toomany(ms, "program headers", phnum);
+  		flags |= FLAGS_IS_CORE;
+@@ -1473,9 +1473,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
+  		    CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)),
+  		    fsize, elf_getu16(swap, elfhdr.e_machine),
+  		    CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
+-diff -ur libmagic.orig/encoding.c libmagic/encoding.c
++diff -u libmagic.orig/encoding.c libmagic/encoding.c
+ --- libmagic.orig/encoding.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/encoding.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/encoding.c	2022-06-16 13:39:41.586609800 +0200
+ @@ -98,14 +98,14 @@
+  		nbytes = ms->encoding_max;
+  
+@@ -1514,9 +1514,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c
+  	} \
+  	if (u < 3) \
+  		return 0; \
+-diff -ur libmagic.orig/file.h libmagic/file.h
++diff -u libmagic.orig/file.h libmagic/file.h
+ --- libmagic.orig/file.h	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/file.h	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/file.h	2022-06-16 13:39:41.586609800 +0200
+ @@ -33,17 +33,14 @@
+  #ifndef __file_h__
+  #define __file_h__
+@@ -1775,9 +1775,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h
+ +#endif
+ +
+  #endif /* __file_h__ */
+-diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
++diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
+ --- libmagic.orig/fsmagic.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/fsmagic.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/fsmagic.c	2021-09-21 13:27:27.992511000 +0200
+ @@ -66,26 +66,10 @@
+  # define minor(dev)  ((dev) & 0xff)
+  #endif
+@@ -2068,9 +2068,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
+  #ifdef	S_IFSOCK
+  #ifndef __COHERENT__
+  	case S_IFSOCK:
+-diff -ur libmagic.orig/funcs.c libmagic/funcs.c
++diff -u libmagic.orig/funcs.c libmagic/funcs.c
+ --- libmagic.orig/funcs.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/funcs.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/funcs.c	2022-06-16 13:39:41.586609800 +0200
+ @@ -51,6 +51,13 @@
+  #define SIZE_MAX	((size_t)~0)
+  #endif
+@@ -2388,9 +2388,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c
+  
+  protected char *
+  file_strtrim(char *str)
+-diff -ur libmagic.orig/magic.c libmagic/magic.c
++diff -u libmagic.orig/magic.c libmagic/magic.c
+ --- libmagic.orig/magic.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/magic.c	2021-04-06 21:34:57.336978894 +0200
+++++ libmagic/magic.c	2022-06-16 13:39:41.586609800 +0200
+ @@ -25,11 +25,6 @@
+   * SUCH DAMAGE.
+   */
+@@ -2867,9 +2867,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c
+  		return NULL;
+  	}
+  	return file_getbuffer(ms);
+-diff -ur libmagic.orig/magic.h libmagic/magic.h
+---- libmagic.orig/magic.h	2021-04-06 22:37:37.647426536 +0200
+-+++ libmagic/magic.h	2021-04-06 21:34:57.336978894 +0200
++diff -u libmagic.orig/magic.h libmagic/magic.h
++--- libmagic.orig/magic.h	2022-06-30 17:16:06.144009900 +0200
+++++ libmagic/magic.h	2022-06-16 13:39:41.586609800 +0200
+ @@ -126,6 +126,7 @@
+  
+  const char *magic_getpath(const char *, int);
+@@ -2878,9 +2878,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h
+  const char *magic_descriptor(magic_t, int);
+  const char *magic_buffer(magic_t, const void *, size_t);
+  
+-diff -ur libmagic.orig/print.c libmagic/print.c
++diff -u libmagic.orig/print.c libmagic/print.c
+ --- libmagic.orig/print.c	2021-02-23 01:49:07.000000000 +0100
+-+++ libmagic/print.c	2021-04-06 21:34:57.340978869 +0200
+++++ libmagic/print.c	2021-09-21 13:27:27.998388700 +0200
+ @@ -28,6 +28,7 @@
+  /*
+   * print.c - debugging printout routines
+@@ -2943,9 +2943,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c
+  
+  	if (pp == NULL)
+  		goto out;
+-diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
++diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
+ --- libmagic.orig/readcdf.c	2021-02-23 01:49:08.000000000 +0100
+-+++ libmagic/readcdf.c	2021-04-06 21:34:57.340978869 +0200
+++++ libmagic/readcdf.c	2021-09-21 13:27:27.999369100 +0200
+ @@ -31,7 +31,11 @@
+  
+  #include <assert.h>
+@@ -3067,9 +3067,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
+  out0:
+  	/* If we handled it already, return */
+  	if (i != -1)
+-diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
++diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
+ --- libmagic.orig/softmagic.c	2021-02-23 01:49:06.000000000 +0100
+-+++ libmagic/softmagic.c	2021-04-06 21:34:57.340978869 +0200
+++++ libmagic/softmagic.c	2022-06-30 16:58:15.521661800 +0200
+ @@ -43,6 +43,10 @@
+  #include <time.h>
+  #include "der.h"
+@@ -3247,7 +3247,29 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+  	return rv;
+  }
+  
+-@@ -1845,15 +1847,15 @@
++@@ -1531,11 +1533,7 @@
++ 	size_t len;
++ 	*c = ms->c;
++ 	len = c->len * sizeof(*c->li);
++-	ms->c.li = CAST(struct level_info *, malloc(len));
++-	if (ms->c.li == NULL) {
++-		ms->c = *c;
++-		return -1;
++-	}
+++	ms->c.li = CAST(struct level_info *, emalloc(len));
++ 	memcpy(ms->c.li, c->li, len);
++ 	return 0;
++ }
++@@ -1543,7 +1541,7 @@
++ private void
++ restore_cont(struct magic_set *ms, struct cont *c)
++ {
++-	free(ms->c.li);
+++	efree(ms->c.li);
++ 	ms->c = *c;
++ }
++ 
++@@ -1845,15 +1843,15 @@
+  			if ((ms->flags & MAGIC_NODESC) == 0 &&
+  			    file_printf(ms, F(ms, m->desc, "%u"), offset) == -1)
+  			{
+@@ -3266,7 +3288,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+  		return rv;
+  
+  	case FILE_USE:
+-@@ -1958,10 +1960,13 @@
++@@ -1958,10 +1956,13 @@
+  			}
+  			else if ((flags & STRING_COMPACT_WHITESPACE) &&
+  			    isspace(*a)) {
+@@ -3281,7 +3303,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+  							b++;
+  				}
+  				else {
+-@@ -1997,6 +2002,60 @@
++@@ -1997,6 +1998,60 @@
+  	return file_strncmp(a, b, len, maxlen, flags);
+  }
+  
+@@ -3342,7 +3364,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+  private int
+  magiccheck(struct magic_set *ms, struct magic *m)
+  {
+-@@ -2176,65 +2235,77 @@
++@@ -2176,65 +2231,77 @@
+  		break;
+  	}
+  	case FILE_REGEX: {
+@@ -3471,9 +3493,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+  		break;
+  	}
+  	case FILE_USE:
+-diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
++diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
+ --- libmagic.orig/strcasestr.c	2021-02-23 01:49:12.000000000 +0100
+-+++ libmagic/strcasestr.c	2021-04-06 21:34:57.340978869 +0200
+++++ libmagic/strcasestr.c	2021-09-21 13:27:28.002306200 +0200
+ @@ -39,6 +39,8 @@
+  
+  #include "file.h"
+@@ -3483,7 +3505,3 @@ diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
+  #include <assert.h>
+  #include <ctype.h>
+  #include <string.h>
+---- libmagic/config.h	2021-04-06 22:19:57.552120067 +0200
+-+++ /dev/null	2021-03-31 20:37:24.776503884 +0200
+-@@ -1 +0,0 @@
+--#include "php.h"
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index c86524e31e..5132b4ddea 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -1533,11 +1533,7 @@ save_cont(struct magic_set *ms, struct cont *c)
+ 	size_t len;
+ 	*c = ms->c;
+ 	len = c->len * sizeof(*c->li);
+-	ms->c.li = CAST(struct level_info *, malloc(len));
+-	if (ms->c.li == NULL) {
+-		ms->c = *c;
+-		return -1;
+-	}
++	ms->c.li = CAST(struct level_info *, emalloc(len));
+ 	memcpy(ms->c.li, c->li, len);
+ 	return 0;
+ }
+@@ -1545,7 +1541,7 @@ save_cont(struct magic_set *ms, struct cont *c)
+ private void
+ restore_cont(struct magic_set *ms, struct cont *c)
+ {
+-	free(ms->c.li);
++	efree(ms->c.li);
+ 	ms->c = *c;
+ }
+ 
+diff --git a/ext/fileinfo/tests/bug81723.phpt b/ext/fileinfo/tests/bug81723.phpt
+new file mode 100644
+index 0000000000..16bfb81f10
+--- /dev/null
++++ b/ext/fileinfo/tests/bug81723.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #81723 (Memory corruption in finfo_buffer())
++--EXTENSIONS--
++fileinfo
++--FILE--
++<?php
++$data = hex2bin("00018a7570001097db97979897977d87979797000092001f0051000000000000000000ffff7fff00000000001e0000000000000000000000000c0000000000000000000000000000dc0000000100000000000000004f011900007f0000000000180039000000000000000000000000000000dc0000000100000000000000004f011900007f0000f500000000eeff0000000000000000010000fd00");
++
++$f = finfo_open();
++finfo_buffer($f, $data);
++?>
++--EXPECT--
+-- 
+2.27.0
+

php.spec

@@ -26,7 +26,7 @@
 
 Name:          php
 Version:       %{upver}
-Release:       4
+Release:       5
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and Boost
 URL:           http://www.php.net/
@@ -59,6 +59,7 @@ Patch8:        php-7.4.0-datetests.patch
 Patch9:        backport-CVE-2021-21708-Fix-81708.patch
 Patch10:       backport-CVE-2022-31625.patch
 Patch11:       backport-CVE-2022-31626.patch
+Patch12:       backport-CVE-2022-31627.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1092,6 +1093,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Tue Jul 12 2022 Hugel <gengqihu1@h-partners.com> - 8.1.1-5
+- Fix CVE-2022-31627
+
 * Sat Jun 18 2022 Hugel <gengqihu1@h-partners.com> - 8.1.1-4
 - Fix CVE-2022-31625 CVE-2022-31626