Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4: Fix #77961: finfo_open crafted magic parsing SIGABRT
author: Christoph M. Becker <cmbecker69@gmx.de> 2020-11-24 14:06:19 +0100
committer: Christoph M. Becker <cmbecker69@gmx.de> 2020-11-24 14:06:53 +0100
commit: e589609b4c08209fb414ffd189dfd2b49cc145ca (patch)
tree: 09ffcf21b1abcda41caaed365bfa2a3679539af4
parent: 337031abbde89758724f3d7583f2ea607b9491e3 (diff)
parent: 39f95f56144d595b9af7828726c3e28c313fb2b7 (diff)
download: php-git-e589609b4c08209fb414ffd189dfd2b49cc145ca.tar.gz
5 files changed, 126 insertions, 50 deletions
diff --git a/NEWS b/NEWS
index dedf314ed1..aaab8c7f67 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ PHP                                                                        NEWS
   . Fixed bug #72964 (White space not unfolded for CC/Bcc headers). (cmb)
   . Fixed bug #80391 (Iterable not covariant to mixed). (Nikita)
 
+- Fileinfo:
+  . Fixed bug #77961 (finfo_open crafted magic parsing SIGABRT). (cmb)
+
 - Opcache:
   . Fixed bug #80404 (Incorrect range inference result when division results
     in float). (Nikita)
diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
index 54ee11378d..f6ca9412c4 100644
--- a/ext/fileinfo/libmagic.patch
+++ b/ext/fileinfo/libmagic.patch
@@ -1,6 +1,6 @@
-diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
+diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
 --- libmagic.orig/apprentice.c	2020-05-09 20:57:15.000000000 +0200
-+++ libmagic/apprentice.c	2020-08-29 19:56:29.638061530 +0200
++++ libmagic/apprentice.c	2020-11-07 14:41:13.543842900 +0100
 @@ -29,6 +29,8 @@
   * apprentice - make one pass through /etc/magic, learning its secrets.
   */
@@ -927,9 +927,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
  		m->str_range = swap4(m->str_range);
  		m->str_flags = swap4(m->str_flags);
  	}
-diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
+diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
 --- libmagic.orig/ascmagic.c	2020-06-15 02:01:01.000000000 +0200
-+++ libmagic/ascmagic.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/ascmagic.c	2020-11-07 14:41:13.543842900 +0100
 @@ -50,7 +50,7 @@
  #define ISSPC(x) ((x) == ' ' || (x) == '\t' || (x) == '\r' || (x) == '\n' \
  		  || (x) == 0x85 || (x) == '\f')
@@ -993,9 +993,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
  {
  	size_t i;
  	unsigned char *end = buf + len;
-diff -ur libmagic.orig/buffer.c libmagic/buffer.c
+diff -u libmagic.orig/buffer.c libmagic/buffer.c
 --- libmagic.orig/buffer.c	2020-02-16 16:52:49.000000000 +0100
-+++ libmagic/buffer.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/buffer.c	2020-11-07 14:41:13.543842900 +0100
 @@ -31,19 +31,23 @@
  #endif	/* lint */
  
@@ -1049,9 +1049,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c
  		b->ebuf = NULL;
  		goto out;
  	}
-diff -ur libmagic.orig/cdf.c libmagic/cdf.c
+diff -u libmagic.orig/cdf.c libmagic/cdf.c
 --- libmagic.orig/cdf.c	2019-09-30 17:42:50.000000000 +0200
-+++ libmagic/cdf.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/cdf.c	2020-11-07 14:41:13.559464400 +0100
 @@ -43,7 +43,17 @@
  #include <err.h>
  #endif
@@ -1284,9 +1284,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c
  }
  
  #endif
-diff -ur libmagic.orig/cdf.h libmagic/cdf.h
+diff -u libmagic.orig/cdf.h libmagic/cdf.h
 --- libmagic.orig/cdf.h	2019-09-30 17:42:50.000000000 +0200
-+++ libmagic/cdf.h	2020-07-04 12:40:36.663619335 +0200
++++ libmagic/cdf.h	2020-10-09 14:15:33.483358900 +0200
 @@ -35,10 +35,10 @@
  #ifndef _H_CDF_
  #define _H_CDF_
@@ -1301,9 +1301,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h
  #endif
  #ifdef __DJGPP__
  #define timespec timeval
-diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
+diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
 --- libmagic.orig/cdf_time.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/cdf_time.c	2020-07-04 12:40:36.667619309 +0200
++++ libmagic/cdf_time.c	2020-10-09 14:15:33.484360000 +0200
 @@ -23,6 +23,7 @@
   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   * POSSIBILITY OF SUCH DAMAGE.
@@ -1330,9 +1330,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
  	if (ptr != NULL)
  		return buf;
  	(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
-diff -ur libmagic.orig/compress.c libmagic/compress.c
+diff -u libmagic.orig/compress.c libmagic/compress.c
 --- libmagic.orig/compress.c	2020-05-31 02:11:06.000000000 +0200
-+++ libmagic/compress.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/compress.c	2020-11-07 14:41:13.559464400 +0100
 @@ -51,7 +51,7 @@
  #ifndef HAVE_SIG_T
  typedef void (*sig_t)(int);
@@ -1467,9 +1467,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c
  }
  #endif
 +#endif
-diff -ur libmagic.orig/der.c libmagic/der.c
+diff -u libmagic.orig/der.c libmagic/der.c
 --- libmagic.orig/der.c	2020-06-15 02:01:01.000000000 +0200
-+++ libmagic/der.c	2020-08-29 11:56:12.303522747 +0200
++++ libmagic/der.c	2020-11-07 14:41:13.559464400 +0100
 @@ -54,7 +54,9 @@
  #include "magic.h"
  #include "der.h"
@@ -1480,9 +1480,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c
  #include <sys/stat.h>
  #include <err.h>
  #endif
-diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
+diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
 --- libmagic.orig/elfclass.h	2019-02-20 02:30:19.000000000 +0100
-+++ libmagic/elfclass.h	2020-07-04 12:40:36.667619309 +0200
++++ libmagic/elfclass.h	2020-10-09 14:15:33.488358700 +0200
 @@ -41,7 +41,7 @@
  			return toomany(ms, "program headers", phnum);
  		flags |= FLAGS_IS_CORE;
@@ -1510,9 +1510,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
  		    CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)),
  		    fsize, elf_getu16(swap, elfhdr.e_machine),
  		    CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
-diff -ur libmagic.orig/encoding.c libmagic/encoding.c
+diff -u libmagic.orig/encoding.c libmagic/encoding.c
 --- libmagic.orig/encoding.c	2019-06-10 23:34:41.000000000 +0200
-+++ libmagic/encoding.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/encoding.c	2020-11-07 14:41:13.559464400 +0100
 @@ -43,14 +43,14 @@
  #include <stdlib.h>
  
@@ -1700,9 +1700,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c
  
  		if (ubf[*ulen - 1] == 0xfffe)
  			return 0;
-diff -ur libmagic.orig/file.h libmagic/file.h
+diff -u libmagic.orig/file.h libmagic/file.h
 --- libmagic.orig/file.h	2020-06-15 02:01:01.000000000 +0200
-+++ libmagic/file.h	2020-09-02 17:35:51.709611515 +0200
++++ libmagic/file.h	2020-11-24 13:44:41.506472900 +0100
 @@ -33,17 +33,13 @@
  #ifndef __file_h__
  #define __file_h__
@@ -1725,7 +1725,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  
  #ifndef __STDC_LIMIT_MACROS
  #define __STDC_LIMIT_MACROS
-@@ -79,10 +75,11 @@
+@@ -79,23 +75,26 @@
  #include <stdio.h>	/* Include that here, to make sure __P gets defined */
  #include <errno.h>
  #include <fcntl.h>	/* For open and flags */
@@ -1740,7 +1740,14 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  #include <sys/param.h>
  #endif
  /* Do this here and now, because struct stat gets re-defined on solaris */
-@@ -95,7 +92,7 @@
+ #include <sys/stat.h>
+ #include <stdarg.h>
+ 
++#define abort()	zend_error_noreturn(E_ERROR, "fatal libmagic error")
++
+ #define ENABLE_CONDITIONALS
+ 
+ #ifndef MAGIC
  #define MAGIC "/etc/magic"
  #endif
  
@@ -1749,7 +1756,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  #define PATHSEP	';'
  #else
  #define PATHSEP	':'
-@@ -129,12 +126,6 @@
+@@ -129,12 +128,6 @@
  #endif
  #endif
  
@@ -1762,7 +1769,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  #ifndef MIN
  #define	MIN(a,b)	(((a) < (b)) ? (a) : (b))
  #endif
-@@ -161,10 +152,10 @@
+@@ -161,10 +154,10 @@
  
  struct buffer {
  	int fd;
@@ -1775,7 +1782,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  	void *ebuf;
  	size_t elen;
  };
-@@ -258,7 +249,7 @@
+@@ -258,7 +251,7 @@
  #define				FILE_OFFSET	50
  #define				FILE_NAMES_SIZE	51 /* size of array to contain all names */
  
@@ -1784,7 +1791,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  	((t) == FILE_STRING || \
  	 (t) == FILE_PSTRING || \
  	 (t) == FILE_BESTRING16 || \
-@@ -464,21 +455,17 @@
+@@ -464,21 +457,17 @@
  };
  
  /* Type for Unicode characters */
@@ -1810,7 +1817,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  protected int file_separator(struct magic_set *);
  protected char *file_copystr(char *, size_t, size_t, const char *);
  protected int file_checkfmt(char *, size_t, const char *);
-@@ -486,48 +473,42 @@
+@@ -486,48 +475,42 @@
  protected int file_print_guid(char *, size_t, const uint64_t *);
  protected int file_parse_guid(const char *, uint64_t *);
  protected int file_replace(struct magic_set *, const char *, const char *);
@@ -1867,7 +1874,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
      size_t *);
  protected size_t file_pstring_length_size(struct magic_set *,
      const struct magic *);
-@@ -539,34 +520,12 @@
+@@ -539,34 +522,12 @@
      size_t);
  #endif /* __EMX__ */
  
@@ -1904,7 +1911,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  
  typedef struct {
  	char *buf;
-@@ -582,23 +541,10 @@
+@@ -582,23 +543,10 @@
  extern const size_t file_nnames;
  #endif
  
@@ -1930,7 +1937,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  size_t strlcat(char *, const char *, size_t);
  #endif
  #ifndef HAVE_STRCASESTR
-@@ -614,39 +560,6 @@
+@@ -614,39 +562,6 @@
  #ifndef HAVE_ASCTIME_R
  char   *asctime_r(const struct tm *, char *);
  #endif
@@ -1970,7 +1977,7 @@ diff -ur libmagic.orig/file.h libmagic/file.h
  
  #if defined(HAVE_MMAP) && defined(HAVE_SYS_MMAN_H) && !defined(QUICK)
  #define QUICK
-@@ -676,4 +589,16 @@
+@@ -676,4 +591,16 @@
  #define __RCSID(a)
  #endif
  
@@ -1987,9 +1994,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h
 +#endif
 +
  #endif /* __file_h__ */
-diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
+diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
 --- libmagic.orig/fsmagic.c	2019-07-16 15:30:32.000000000 +0200
-+++ libmagic/fsmagic.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/fsmagic.c	2020-11-07 14:41:13.559464400 +0100
 @@ -66,26 +66,10 @@
  # define minor(dev)  ((dev) & 0xff)
  #endif
@@ -2280,9 +2287,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
  #ifdef	S_IFSOCK
  #ifndef __COHERENT__
  	case S_IFSOCK:
-diff -ur libmagic.orig/funcs.c libmagic/funcs.c
+diff -u libmagic.orig/funcs.c libmagic/funcs.c
 --- libmagic.orig/funcs.c	2020-02-20 16:50:20.000000000 +0100
-+++ libmagic/funcs.c	2020-08-29 11:56:12.303522747 +0200
++++ libmagic/funcs.c	2020-11-07 14:41:13.559464400 +0100
 @@ -48,6 +48,13 @@
  #define SIZE_MAX	((size_t)~0)
  #endif
@@ -2655,9 +2662,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c
  	return rbuf;
  }
  
-diff -ur libmagic.orig/magic.c libmagic/magic.c
+diff -u libmagic.orig/magic.c libmagic/magic.c
 --- libmagic.orig/magic.c	2020-06-15 02:01:01.000000000 +0200
-+++ libmagic/magic.c	2020-08-29 11:56:12.303522747 +0200
++++ libmagic/magic.c	2020-11-07 14:41:13.559464400 +0100
 @@ -25,11 +25,6 @@
   * SUCH DAMAGE.
   */
@@ -3131,9 +3138,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c
  		return NULL;
  	}
  	return file_getbuffer(ms);
-diff -ur libmagic.orig/magic.h libmagic/magic.h
---- libmagic.orig/magic.h	2020-06-29 01:13:35.424557511 +0200
-+++ libmagic/magic.h	2020-08-29 02:05:56.212049441 +0200
+diff -u libmagic.orig/magic.h libmagic/magic.h
+--- libmagic.orig/magic.h	2020-11-24 13:45:15.355600300 +0100
++++ libmagic/magic.h	2020-11-07 14:41:13.559464400 +0100
 @@ -126,6 +126,7 @@
  
  const char *magic_getpath(const char *, int);
@@ -3142,9 +3149,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h
  const char *magic_descriptor(magic_t, int);
  const char *magic_buffer(magic_t, const void *, size_t);
  
-diff -ur libmagic.orig/print.c libmagic/print.c
+diff -u libmagic.orig/print.c libmagic/print.c
 --- libmagic.orig/print.c	2020-05-09 20:57:15.000000000 +0200
-+++ libmagic/print.c	2020-08-29 11:56:12.303522747 +0200
++++ libmagic/print.c	2020-11-07 14:41:13.559464400 +0100
 @@ -28,6 +28,7 @@
  /*
   * print.c - debugging printout routines
@@ -3207,9 +3214,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c
  
  	if (pp == NULL)
  		goto out;
-diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
+diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
 --- libmagic.orig/readcdf.c	2019-09-30 17:42:50.000000000 +0200
-+++ libmagic/readcdf.c	2020-08-29 02:05:56.212049441 +0200
++++ libmagic/readcdf.c	2020-11-07 14:41:13.559464400 +0100
 @@ -31,7 +31,11 @@
  
  #include <assert.h>
@@ -3331,9 +3338,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
  out0:
  	/* If we handled it already, return */
  	if (i != -1)
-diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
 --- libmagic.orig/softmagic.c	2020-06-15 02:01:01.000000000 +0200
-+++ libmagic/softmagic.c	2020-09-02 20:04:00.794667114 +0200
++++ libmagic/softmagic.c	2020-11-07 14:41:13.559464400 +0100
 @@ -43,6 +43,10 @@
  #include <time.h>
  #include "der.h"
@@ -3682,9 +3689,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
  		break;
  	}
  	case FILE_INDIRECT:
-diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
+diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
 --- libmagic.orig/strcasestr.c	2014-09-11 17:05:33.000000000 +0200
-+++ libmagic/strcasestr.c	2020-07-04 12:40:36.675619260 +0200
++++ libmagic/strcasestr.c	2020-10-09 14:15:33.499288400 +0200
 @@ -39,6 +39,8 @@
  
  #include "file.h"
diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h
index ea19faf7d4..b4d083f3c9 100644
--- a/ext/fileinfo/libmagic/file.h
+++ b/ext/fileinfo/libmagic/file.h
@@ -86,6 +86,8 @@
 #include <sys/stat.h>
 #include <stdarg.h>
 
+#define abort()	zend_error_noreturn(E_ERROR, "fatal libmagic error")
+
 #define ENABLE_CONDITIONALS
 
 #ifndef MAGIC
diff --git a/ext/fileinfo/tests/bug77961.magic b/ext/fileinfo/tests/bug77961.magic
new file mode 100644
index 0000000000..db0a90d883
--- /dev/null
+++ b/ext/fileinfo/tests/bug77961.magic
@@ -0,0 +1,50 @@
+0   string  1
+>1   regex   \^[0-9:,\ ]*-->[0-9:,\ ]*   SubRip File
+!:mime text/x-srt
+
+0	lelong		0xc3cbc6c5	RISC OS Chunk data
+>12	string		OBJ_		\b, AOF object
+>12	string		LIB_		\b, ALF library
+
+0	name		mach-o		\b [
+>0	use		mach-o-cpu	\b
+>(8.L)	indirect	8		\b:
+>0	belong		x		\b]
+
+0	belong		0xcafed00d	JAR compressed with pack200,
+>5	byte		x		version %d.
+>4	byte		x		\b%d
+!:mime	application/x-java-pack200
+
+# Objective-C
+0	regex	\^#import			Objective-C source text
+!:strength + 25
+!:mime	text/x-objective-c
+
+0	string	\x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source:
+>&0	search/128	\x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph:
+>>&0	search/128	\x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data:	GCOV coverage report
+
+0	name	certinfo
+>0	der	seq
+>>&0	der	set
+>>>&0	der	seq
+>>>>&0	der	obj_id3=550406
+>>>>&0	der	prt_str=x	\b, countryName=%s
+>>&0	der	set
+>>>&0	der	seq
+>>>>&0	der	obj_id3=550408
+>>>>&0	der	utf8_str=x	\b, stateOrProvinceName=%s
+>>&0	der	set
+>>>&0	der	seq
+>>>>&0	der	obj_id3=55040a
+>>>>&0	der	utf8_str=x	\b, organizationName=%s
+>>&0	der	set
+>>>&0	der	seq
+>>>>&0	der	obj_id3=550403
+>>>>&0	der	utf8_str=x	\b, commonName=%s
+>>&0	der	seq
+
+0	search/1	FONT		ASCII vfont text
+0	short		0436		Berkeley vfont data
+0	short		017001		byte-swapped Berkeley vfont data
diff --git a/ext/fileinfo/tests/bug77961.phpt b/ext/fileinfo/tests/bug77961.phpt
new file mode 100644
index 0000000000..b059a5d458
--- /dev/null
+++ b/ext/fileinfo/tests/bug77961.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #77961 (finfo_open crafted magic parsing SIGABRT)
+--SKIPIF--
+<?php
+if (!extension_loaded('fileinfo')) die('skip fileinfo extension not available');
+?>
+--FILE--
+<?php
+finfo_open(FILEINFO_NONE, __DIR__ . '/bug77961.magic');
+?>
+--EXPECTF--
+Warning: finfo_open(): Expected numeric type got `indirect' in %s on line %d
+
+Fatal error: fatal libmagic error in %s on line %d
author	Christoph M. Becker <cmbecker69@gmx.de>	2020-11-24 14:06:19 +0100
committer	Christoph M. Becker <cmbecker69@gmx.de>	2020-11-24 14:06:53 +0100
commit	e589609b4c08209fb414ffd189dfd2b49cc145ca (patch)
tree	09ffcf21b1abcda41caaed365bfa2a3679539af4
parent	337031abbde89758724f3d7583f2ea607b9491e3 (diff)
parent	39f95f56144d595b9af7828726c3e28c313fb2b7 (diff)
download	php-git-e589609b4c08209fb414ffd189dfd2b49cc145ca.tar.gz