Fix bug #71459 - Integer overflow in iptcembed()

author: Stanislav Malyshev <stas@php.net> 2016-01-26 17:26:52 -0800
committer: Stanislav Malyshev <stas@php.net> 2016-01-26 17:26:52 -0800
commit: 54c210d2ea9b8539edcde1888b1104b96b38e886 (patch)
tree: 07b6c0ac0324f510e98fb9dce816a293b403839f
parent: 6297a117d77fa3a0df2e21ca926a92c231819cd5 (diff)
download: php-git-54c210d2ea9b8539edcde1888b1104b96b38e886.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index 05d778b41b..6f8aa5dc3e 100644
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -195,6 +195,11 @@ PHP_FUNCTION(iptcembed)
 		RETURN_FALSE;
 	}
 
+	if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large");
+		RETURN_FALSE;
+	}
+
 	if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file);
 		RETURN_FALSE;
@@ -203,7 +208,7 @@ PHP_FUNCTION(iptcembed)
 	if (spool < 2) {
 		fstat(fileno(fp), &sb);
 
-		poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1);
+		poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size);
 		memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1);
 	}
author	Stanislav Malyshev <stas@php.net>	2016-01-26 17:26:52 -0800
committer	Stanislav Malyshev <stas@php.net>	2016-01-26 17:26:52 -0800
commit	54c210d2ea9b8539edcde1888b1104b96b38e886 (patch)
tree	07b6c0ac0324f510e98fb9dce816a293b403839f
parent	6297a117d77fa3a0df2e21ca926a92c231819cd5 (diff)
download	php-git-54c210d2ea9b8539edcde1888b1104b96b38e886.tar.gz