From ca6d511fa54b34d5b75bf120a86482a1b9e1e686 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 30 Jun 2022 17:15:22 +0200 Subject: [PATCH] Fix #81723: Memory corruption in finfo_buffer() We need to use the same memory allocator throughout. --- ext/fileinfo/libmagic.patch | 112 +++++++++++++++++------------- ext/fileinfo/libmagic/softmagic.c | 8 +-- ext/fileinfo/tests/bug81723.phpt | 12 ++++ 3 files changed, 79 insertions(+), 53 deletions(-) create mode 100644 ext/fileinfo/tests/bug81723.phpt diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch index 27124692a0..3373ae4519 100644 --- a/ext/fileinfo/libmagic.patch +++ b/ext/fileinfo/libmagic.patch @@ -1,6 +1,6 @@ -diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c +diff -u libmagic.orig/apprentice.c libmagic/apprentice.c --- libmagic.orig/apprentice.c 2021-02-23 01:51:11.000000000 +0100 -+++ libmagic/apprentice.c 2021-04-06 21:34:57.332978922 +0200 ++++ libmagic/apprentice.c 2022-06-16 13:39:41.570984700 +0200 @@ -29,6 +29,8 @@ * apprentice - make one pass through /etc/magic, learning its secrets. */ @@ -925,9 +925,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c m->str_range = swap4(m->str_range); m->str_flags = swap4(m->str_flags); } -diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c +diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c --- libmagic.orig/ascmagic.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/ascmagic.c 2021-04-06 21:34:57.332978922 +0200 ++++ libmagic/ascmagic.c 2022-06-16 13:39:41.570984700 +0200 @@ -96,7 +96,7 @@ rv = file_ascmagic_with_encoding(ms, &bb, ubuf, ulen, code, type, text); @@ -956,9 +956,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c return rv; } -diff -ur libmagic.orig/buffer.c libmagic/buffer.c +diff -u libmagic.orig/buffer.c libmagic/buffer.c --- libmagic.orig/buffer.c 2021-02-23 01:49:26.000000000 +0100 -+++ libmagic/buffer.c 2021-04-06 21:34:57.332978922 +0200 ++++ libmagic/buffer.c 2021-09-21 13:27:27.982716100 +0200 @@ -31,19 +31,23 @@ #endif /* lint */ @@ -1012,9 +1012,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c b->ebuf = NULL; goto out; } -diff -ur libmagic.orig/cdf.c libmagic/cdf.c +diff -u libmagic.orig/cdf.c libmagic/cdf.c --- libmagic.orig/cdf.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/cdf.c 2021-04-06 21:34:57.332978922 +0200 ++++ libmagic/cdf.c 2021-09-21 13:27:27.983695600 +0200 @@ -43,7 +43,17 @@ #include #endif @@ -1247,9 +1247,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c } #endif -diff -ur libmagic.orig/cdf.h libmagic/cdf.h +diff -u libmagic.orig/cdf.h libmagic/cdf.h --- libmagic.orig/cdf.h 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/cdf.h 2021-04-06 21:34:57.332978922 +0200 ++++ libmagic/cdf.h 2021-09-21 13:27:27.984674900 +0200 @@ -35,10 +35,10 @@ #ifndef _H_CDF_ #define _H_CDF_ @@ -1264,9 +1264,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h #endif #ifdef __DJGPP__ #define timespec timeval -diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c +diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c --- libmagic.orig/cdf_time.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/cdf_time.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/cdf_time.c 2021-09-21 13:27:27.985654400 +0200 @@ -23,6 +23,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. @@ -1293,9 +1293,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c if (ptr != NULL) return buf; (void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n", -diff -ur libmagic.orig/compress.c libmagic/compress.c +diff -u libmagic.orig/compress.c libmagic/compress.c --- libmagic.orig/compress.c 2021-02-23 01:49:07.000000000 +0100 -+++ libmagic/compress.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/compress.c 2022-06-16 13:39:41.586609800 +0200 @@ -51,7 +51,7 @@ #ifndef HAVE_SIG_T typedef void (*sig_t)(int); @@ -1430,9 +1430,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c } #endif +#endif -diff -ur libmagic.orig/der.c libmagic/der.c +diff -u libmagic.orig/der.c libmagic/der.c --- libmagic.orig/der.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/der.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/der.c 2022-06-16 13:39:41.586609800 +0200 @@ -54,7 +54,9 @@ #include "magic.h" #include "der.h" @@ -1443,9 +1443,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c #include #include #endif -diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h +diff -u libmagic.orig/elfclass.h libmagic/elfclass.h --- libmagic.orig/elfclass.h 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/elfclass.h 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/elfclass.h 2021-09-21 13:27:27.989571700 +0200 @@ -41,7 +41,7 @@ return toomany(ms, "program headers", phnum); flags |= FLAGS_IS_CORE; @@ -1473,9 +1473,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)), fsize, elf_getu16(swap, elfhdr.e_machine), CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)), -diff -ur libmagic.orig/encoding.c libmagic/encoding.c +diff -u libmagic.orig/encoding.c libmagic/encoding.c --- libmagic.orig/encoding.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/encoding.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/encoding.c 2022-06-16 13:39:41.586609800 +0200 @@ -98,14 +98,14 @@ nbytes = ms->encoding_max; @@ -1514,9 +1514,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c } \ if (u < 3) \ return 0; \ -diff -ur libmagic.orig/file.h libmagic/file.h +diff -u libmagic.orig/file.h libmagic/file.h --- libmagic.orig/file.h 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/file.h 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/file.h 2022-06-16 13:39:41.586609800 +0200 @@ -33,17 +33,14 @@ #ifndef __file_h__ #define __file_h__ @@ -1775,9 +1775,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h +#endif + #endif /* __file_h__ */ -diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c +diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c --- libmagic.orig/fsmagic.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/fsmagic.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/fsmagic.c 2021-09-21 13:27:27.992511000 +0200 @@ -66,26 +66,10 @@ # define minor(dev) ((dev) & 0xff) #endif @@ -2068,9 +2068,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c #ifdef S_IFSOCK #ifndef __COHERENT__ case S_IFSOCK: -diff -ur libmagic.orig/funcs.c libmagic/funcs.c +diff -u libmagic.orig/funcs.c libmagic/funcs.c --- libmagic.orig/funcs.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/funcs.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/funcs.c 2022-06-16 13:39:41.586609800 +0200 @@ -51,6 +51,13 @@ #define SIZE_MAX ((size_t)~0) #endif @@ -2388,9 +2388,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c protected char * file_strtrim(char *str) -diff -ur libmagic.orig/magic.c libmagic/magic.c +diff -u libmagic.orig/magic.c libmagic/magic.c --- libmagic.orig/magic.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/magic.c 2021-04-06 21:34:57.336978894 +0200 ++++ libmagic/magic.c 2022-06-16 13:39:41.586609800 +0200 @@ -25,11 +25,6 @@ * SUCH DAMAGE. */ @@ -2867,9 +2867,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c return NULL; } return file_getbuffer(ms); -diff -ur libmagic.orig/magic.h libmagic/magic.h ---- libmagic.orig/magic.h 2021-04-06 22:37:37.647426536 +0200 -+++ libmagic/magic.h 2021-04-06 21:34:57.336978894 +0200 +diff -u libmagic.orig/magic.h libmagic/magic.h +--- libmagic.orig/magic.h 2022-06-30 17:16:06.144009900 +0200 ++++ libmagic/magic.h 2022-06-16 13:39:41.586609800 +0200 @@ -126,6 +126,7 @@ const char *magic_getpath(const char *, int); @@ -2878,9 +2878,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h const char *magic_descriptor(magic_t, int); const char *magic_buffer(magic_t, const void *, size_t); -diff -ur libmagic.orig/print.c libmagic/print.c +diff -u libmagic.orig/print.c libmagic/print.c --- libmagic.orig/print.c 2021-02-23 01:49:07.000000000 +0100 -+++ libmagic/print.c 2021-04-06 21:34:57.340978869 +0200 ++++ libmagic/print.c 2021-09-21 13:27:27.998388700 +0200 @@ -28,6 +28,7 @@ /* * print.c - debugging printout routines @@ -2943,9 +2943,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c if (pp == NULL) goto out; -diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c +diff -u libmagic.orig/readcdf.c libmagic/readcdf.c --- libmagic.orig/readcdf.c 2021-02-23 01:49:08.000000000 +0100 -+++ libmagic/readcdf.c 2021-04-06 21:34:57.340978869 +0200 ++++ libmagic/readcdf.c 2021-09-21 13:27:27.999369100 +0200 @@ -31,7 +31,11 @@ #include @@ -3067,9 +3067,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c out0: /* If we handled it already, return */ if (i != -1) -diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c +diff -u libmagic.orig/softmagic.c libmagic/softmagic.c --- libmagic.orig/softmagic.c 2021-02-23 01:49:06.000000000 +0100 -+++ libmagic/softmagic.c 2021-04-06 21:34:57.340978869 +0200 ++++ libmagic/softmagic.c 2022-06-30 16:58:15.521661800 +0200 @@ -43,6 +43,10 @@ #include #include "der.h" @@ -3247,7 +3247,29 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c return rv; } -@@ -1845,15 +1847,15 @@ +@@ -1531,11 +1533,7 @@ + size_t len; + *c = ms->c; + len = c->len * sizeof(*c->li); +- ms->c.li = CAST(struct level_info *, malloc(len)); +- if (ms->c.li == NULL) { +- ms->c = *c; +- return -1; +- } ++ ms->c.li = CAST(struct level_info *, emalloc(len)); + memcpy(ms->c.li, c->li, len); + return 0; + } +@@ -1543,7 +1541,7 @@ + private void + restore_cont(struct magic_set *ms, struct cont *c) + { +- free(ms->c.li); ++ efree(ms->c.li); + ms->c = *c; + } + +@@ -1845,15 +1843,15 @@ if ((ms->flags & MAGIC_NODESC) == 0 && file_printf(ms, F(ms, m->desc, "%u"), offset) == -1) { @@ -3266,7 +3288,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c return rv; case FILE_USE: -@@ -1958,10 +1960,13 @@ +@@ -1958,10 +1956,13 @@ } else if ((flags & STRING_COMPACT_WHITESPACE) && isspace(*a)) { @@ -3281,7 +3303,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c b++; } else { -@@ -1997,6 +2002,60 @@ +@@ -1997,6 +1998,60 @@ return file_strncmp(a, b, len, maxlen, flags); } @@ -3342,7 +3364,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c private int magiccheck(struct magic_set *ms, struct magic *m) { -@@ -2176,65 +2235,77 @@ +@@ -2176,65 +2231,77 @@ break; } case FILE_REGEX: { @@ -3471,9 +3493,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c break; } case FILE_USE: -diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c +diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c --- libmagic.orig/strcasestr.c 2021-02-23 01:49:12.000000000 +0100 -+++ libmagic/strcasestr.c 2021-04-06 21:34:57.340978869 +0200 ++++ libmagic/strcasestr.c 2021-09-21 13:27:28.002306200 +0200 @@ -39,6 +39,8 @@ #include "file.h" @@ -3483,7 +3505,3 @@ diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c #include #include #include ---- libmagic/config.h 2021-04-06 22:19:57.552120067 +0200 -+++ /dev/null 2021-03-31 20:37:24.776503884 +0200 -@@ -1 +0,0 @@ --#include "php.h" diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index c86524e31e..5132b4ddea 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1533,11 +1533,7 @@ save_cont(struct magic_set *ms, struct cont *c) size_t len; *c = ms->c; len = c->len * sizeof(*c->li); - ms->c.li = CAST(struct level_info *, malloc(len)); - if (ms->c.li == NULL) { - ms->c = *c; - return -1; - } + ms->c.li = CAST(struct level_info *, emalloc(len)); memcpy(ms->c.li, c->li, len); return 0; } @@ -1545,7 +1541,7 @@ save_cont(struct magic_set *ms, struct cont *c) private void restore_cont(struct magic_set *ms, struct cont *c) { - free(ms->c.li); + efree(ms->c.li); ms->c = *c; } diff --git a/ext/fileinfo/tests/bug81723.phpt b/ext/fileinfo/tests/bug81723.phpt new file mode 100644 index 0000000000..16bfb81f10 --- /dev/null +++ b/ext/fileinfo/tests/bug81723.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #81723 (Memory corruption in finfo_buffer()) +--EXTENSIONS-- +fileinfo +--FILE-- + +--EXPECT-- -- 2.27.0