diff options
author | Stanislav Malyshev <stas@php.net> | 2019-12-16 01:14:38 -0800 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2019-12-17 13:12:12 +0100 |
commit | 1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2 (patch) | |
tree | 1221075295bc30df31a3ab12559c1da90c7d9aa0 | |
parent | 57325460d2bdee01a13d8e6cf03345c90543ff4f (diff) | |
download | php-git-1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2.tar.gz |
Fix bug #78793
(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba)
-rw-r--r-- | ext/exif/exif.c | 5 | ||||
-rw-r--r-- | ext/exif/tests/bug78793.phpt | 12 |
2 files changed, 15 insertions, 2 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index c0be05922f..7fe055f381 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu } for (de=0;de<NumDirEntries;de++) { - if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, - offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) { + size_t offset = 2 + 12 * de; + if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, + offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) { return FALSE; } } diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt new file mode 100644 index 0000000000..033f255ace --- /dev/null +++ b/ext/exif/tests/bug78793.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #78793: Use-after-free in exif parsing under memory sanitizer +--FILE-- +<?php +$f = "ext/exif/tests/bug77950.tiff"; +for ($i = 0; $i < 10; $i++) { + @exif_read_data($f); +} +?> +===DONE=== +--EXPECT-- +===DONE=== |