diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-05-27 17:28:20 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-05-27 17:28:20 -0700 |
| commit | dc1d99e772ce82b180e4c15d63ce70331eebfab7 (patch) | |
| tree | 5b4c561c9dbcc27e8b53b83c8987ab0f7027f017 | |
| parent | 9bca9ef6cf6428a3725bdb7919e2affe92cb3121 (diff) | |
| parent | 73ff4193be24192c894dc0502d06e2b2db35eefb (diff) | |
| download | php-git-dc1d99e772ce82b180e4c15d63ce70331eebfab7.tar.gz | |
Merge branch 'PHP-7.1' into PHP-7.2
* PHP-7.1:
Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
| -rw-r--r-- | ext/exif/exif.c | 2 | ||||
| -rw-r--r-- | ext/exif/tests/bug77988.jpg | bin | 0 -> 1202 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug77988.phpt | 11 |
3 files changed, 13 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index c82ce050fa..6f91dda8c2 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3947,6 +3947,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) if (c == 0xFF) return FALSE; marker = c; + if (pos>=ImageInfo->Thumbnail.size) + return FALSE; length = php_jpg_get16(data+pos); if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { return FALSE; diff --git a/ext/exif/tests/bug77988.jpg b/ext/exif/tests/bug77988.jpg Binary files differnew file mode 100644 index 0000000000..120ff8565a --- /dev/null +++ b/ext/exif/tests/bug77988.jpg diff --git a/ext/exif/tests/bug77988.phpt b/ext/exif/tests/bug77988.phpt new file mode 100644 index 0000000000..1632c8afaa --- /dev/null +++ b/ext/exif/tests/bug77988.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #77988 (heap-buffer-overflow on php_jpg_get16) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +exif_read_data(__DIR__."/bug77988.jpg", 'COMMENT', FALSE, TRUE); +?> +DONE +--EXPECTF-- +DONE
\ No newline at end of file |
