diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-03-27 18:42:55 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-04-22 20:15:02 -0700 |
commit | b4e4788c4461449b4587e19ef1f474ce938e4980 (patch) | |
tree | 1ee96d145f812a8bfef219cbdbb6ee8362cbef48 | |
parent | 36239fee3638a8f4cfe3ca3aba597cb1699abd90 (diff) | |
download | php-git-b4e4788c4461449b4587e19ef1f474ce938e4980.tar.gz |
Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
The MakerNote is not necessarily null-terminated, so we must not use
`strlen()` to avoid OOB reads. Instead `php_strnlen()` is the proper
way to handle this.
-rw-r--r-- | ext/exif/exif.c | 2 | ||||
-rw-r--r-- | ext/exif/tests/bug76130.phpt | 20 | ||||
-rw-r--r-- | ext/exif/tests/bug76130_1.jpg | bin | 0 -> 3396 bytes | |||
-rw-r--r-- | ext/exif/tests/bug76130_2.jpg | bin | 0 -> 1632 bytes |
4 files changed, 21 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 1c8772f76b..e535278fc9 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -1710,7 +1710,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c case TAG_FMT_UNDEFINED: if (value) { if (tag == TAG_MAKER_NOTE) { - length = MIN(length, strlen(value)); + length = (int) php_strnlen(value, length); } /* do not recompute length here */ diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt new file mode 100644 index 0000000000..9c826af629 --- /dev/null +++ b/ext/exif/tests/bug76130.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value) +--DESCRIPTION-- +This test is meant to exhibit memory issues with the `-m` option. Since a lot of +notices and warnings are to be expected anyway, we suppress these, since the are +not relevant for this test. +--INI-- +error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE +--SKIPIF-- +<?php +if (!extension_loaded('exif')) die('skip exif extension not available'); +?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug76130_1.jpg'); +exif_read_data(__DIR__ . '/bug76130_2.jpg'); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg Binary files differnew file mode 100644 index 0000000000..e063e46d22 --- /dev/null +++ b/ext/exif/tests/bug76130_1.jpg diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg Binary files differnew file mode 100644 index 0000000000..a9e79dca5c --- /dev/null +++ b/ext/exif/tests/bug76130_2.jpg |