Fix CVE-2014-3538

Part of upstream commit 4a284c89d6ef11aca34da65da7d673050a5ea320
Also a bit of "lint fix 4314551ad76aebcf8b1a16b8e3328bc9f238a2ae"

debian/patches/CVE-2014-3538.patch

@@ -0,0 +1,103 @@
+Subject: file does not properly restrict the amount of data read during a regex search
+ID: CVE-2014-3538
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue Jun 3 19:01:34 2014 +0000
+Origin:
+    commit 4a284c89d6ef11aca34da65da7d673050a5ea320
+Debian-Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Comment:
+ Taken from the fix in php5 (5.4.4-14+deb7u13), with minor corrections.
+Last-Update: 2014-09-07
+
+    * Enforce limit of 8K on regex searches that have no limits
+    * Allow the l modifier for regex to mean line count. Default
+      to byte count. If line count is specified, assume a max
+      of 80 characters per line to limit the byte count.
+    * Don't allow conversions to be used for dates, allowing
+      the mask field to be used as an offset.
+    * Bump the version of the magic format so that regex changes
+      are visible.
+
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -51,7 +51,7 @@
+ private int32_t moffset(struct magic_set *, struct magic *);
+ private void mdebug(uint32_t, const char *, size_t);
+ private int mcopy(struct magic_set *, union VALUETYPE *, int, int,
+-    const unsigned char *, uint32_t, size_t, size_t);
++    const unsigned char *, uint32_t, size_t, struct magic *);
+ private int mconvert(struct magic_set *, struct magic *);
+ private int print_sep(struct magic_set *, int);
+ private int handle_annotation(struct magic_set *, struct magic *);
+@@ -918,7 +918,7 @@
+ 
+ private int
+ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+-    const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt)
++    const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m)
+ {
+ 	/*
+ 	 * Note: FILE_SEARCH and FILE_REGEX do not actually copy
+@@ -938,15 +938,24 @@
+ 			const char *last;	/* end of search region */
+ 			const char *buf;	/* start of search region */
+ 			const char *end;
+-			size_t lines;
++			size_t lines, linecnt, bytecnt;
+ 
++			linecnt = m->str_range;
++			bytecnt = linecnt * 80;
++
++			if (bytecnt == 0) {
++				bytecnt = 8192;
++			}
++			if (bytecnt > nbytes) {
++				bytecnt = nbytes;
++			}
+ 			if (s == NULL) {
+ 				ms->search.s_len = 0;
+ 				ms->search.s = NULL;
+ 				return 0;
+ 			}
+ 			buf = RCAST(const char *, s) + offset;
+-			end = last = RCAST(const char *, s) + nbytes;
++			end = last = RCAST(const char *, s) + bytecnt;
+ 			/* mget() guarantees buf <= last */
+ 			for (lines = linecnt, b = buf; lines && b < end &&
+ 			     ((b = CAST(const char *,
+@@ -959,7 +968,7 @@
+ 					b++;
+ 			}
+ 			if (lines)
+-				last = RCAST(const char *, s) + nbytes;
++				last = RCAST(const char *, s) + bytecnt;
+ 
+ 			ms->search.s = buf;
+ 			ms->search.s_len = last - buf;
+@@ -1032,7 +1041,6 @@
+     int recursion_level)
+ {
+ 	uint32_t offset = ms->offset;
+-	uint32_t count = m->str_range;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 
+         if (recursion_level >= 20) {
+@@ -1040,7 +1048,8 @@
+                 return -1;
+         }
+ 
+-	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
++	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset,
++	    (uint32_t)nbytes, m) == -1)
+ 		return -1;
+ 
+ 	if ((ms->flags & MAGIC_DEBUG) != 0) {
+@@ -1527,7 +1536,7 @@
+ 		if (m->flag & INDIROFFADD) {
+ 			offset += ms->c.li[cont_level-1].off;
+ 		}
+-		if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1)
++		if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1)
+ 			return -1;
+ 		ms->offset = offset;
+ 

debian/patches/series

@@ -12,3 +12,4 @@ CVE-2014-3478.patch
 CVE-2014-3479.patch
 CVE-2014-3480.patch
 CVE-2014-3487.patch
+CVE-2014-3538.patch