Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6: Add NEWS Fixed bug #76459 windows linkinfo lacks openbasedir check Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
author: Stanislav Malyshev <stas@php.net> 2018-07-16 15:13:13 -0700
committer: Stanislav Malyshev <stas@php.net> 2018-07-16 15:13:13 -0700
commit: bddf8140e4ad9ae7e1ee9b03e2c4998da205af82 (patch)
tree: 1656767a509ce88a0af313e327a8377762dd9deb
parent: f151e048ed27f6f4eef729f3310d053ab5da71d4 (diff)
parent: b73a10854311e13f208e4b5dfc91338929213940 (diff)
download: php-git-bddf8140e4ad9ae7e1ee9b03e2c4998da205af82.tar.gz
5 files changed, 106 insertions, 2 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 064487b1f4..6fa60f7a2a 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2536,7 +2536,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz
 		return;
 	}
 	/* Check to make sure we are not going to go past the ExifLength */
-	if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {
+	if (ImageInfo->Thumbnail.size > length
+		|| (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length
+		|| ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size
+	) {
 		EXIF_ERRLOG_THUMBEOF(ImageInfo)
 		return;
 	}
@@ -2714,6 +2717,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	int NumDirEntries, old_motorola_intel, offset_diff;
 	const maker_note_type *maker_note;
 	char *dir_start;
+	int data_len;
 
 	for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
 		if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {
@@ -2768,6 +2772,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	switch (maker_note->offset_mode) {
 		case MN_OFFSET_MAKER:
 			offset_base = value_ptr;
+			data_len = value_len;
 			break;
 		case MN_OFFSET_GUESS:
 			if (maker_note->offset + 10 + 4 >= value_len) {
@@ -2784,6 +2789,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 				return FALSE;
 			}
 			offset_base = value_ptr + offset_diff;
+			data_len = value_len - offset_diff;
 			break;
 		default:
 		case MN_OFFSET_NORMAL:
@@ -2797,7 +2803,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 
 	for (de=0;de<NumDirEntries;de++) {
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
-								  offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table)) {
+								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
 			return FALSE;
 		}
 	}
diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg
new file mode 100644
index 0000000000..08fe2bbc57
--- /dev/null
+++ b/ext/exif/tests/bug76423.jpg
diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt
new file mode 100644
index 0000000000..4c8cd45dc9
--- /dev/null
+++ b/ext/exif/tests/bug76423.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true);
+?>
+===DONE===
+--EXPECTF--
+
+Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d
+
+Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d
+
+Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d
+===DONE===
diff --git a/ext/exif/tests/bug76557.jpg b/ext/exif/tests/bug76557.jpg
new file mode 100644
index 0000000000..d678f07c0f
--- /dev/null
+++ b/ext/exif/tests/bug76557.jpg
diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
new file mode 100644
index 0000000000..4553b62772
--- /dev/null
+++ b/ext/exif/tests/bug76557.phpt
@@ -0,0 +1,79 @@
+--TEST--
+Bug 76557 (heap-buffer-overflow (READ of size 48) while reading exif data)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug76557.jpg")));
+?>
+DONE
+--EXPECTF--
+Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make       ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote  ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d
+int(1)
+DONE
author	Stanislav Malyshev <stas@php.net>	2018-07-16 15:13:13 -0700
committer	Stanislav Malyshev <stas@php.net>	2018-07-16 15:13:13 -0700
commit	bddf8140e4ad9ae7e1ee9b03e2c4998da205af82 (patch)
tree	1656767a509ce88a0af313e327a8377762dd9deb
parent	f151e048ed27f6f4eef729f3310d053ab5da71d4 (diff)
parent	b73a10854311e13f208e4b5dfc91338929213940 (diff)
download	php-git-bddf8140e4ad9ae7e1ee9b03e2c4998da205af82.tar.gz