diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-03-31 23:09:57 -0700 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-04-02 10:00:54 +0200 |
| commit | 426ca8e961187d427f2dd8c82f3f36698e77ad4c (patch) | |
| tree | 4f6483f0118dd384c5ddf8f776490e0db44908bd | |
| parent | 5b7a781a5d49854d9e3abf7944b478d0d98d6c5e (diff) | |
| download | php-git-426ca8e961187d427f2dd8c82f3f36698e77ad4c.tar.gz | |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
(cherry picked from commit 9efaac30aeff82a61a015f4de53eb1ece2d93d61)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/exif/exif.c | 4 | ||||
| -rw-r--r-- | ext/exif/tests/bug77753.phpt | 16 | ||||
| -rw-r--r-- | ext/exif/tests/bug77753.tiff | bin | 0 -> 873 bytes |
4 files changed, 23 insertions, 0 deletions
@@ -26,6 +26,9 @@ PHP NEWS - COM: . Fixed bug #77578 (Crash when php unload). (cmb) +- EXIF: + . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas) + - FPM: . Fixed bug #77677 (FPM fails to build on AIX due to missing WCOREDUMP). (Kevin Adler) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 1b7d0cc462..5b12922a76 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3188,6 +3188,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len); return FALSE; } + if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len); + return FALSE; + } for (de=0;de<NumDirEntries;de++) { if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, diff --git a/ext/exif/tests/bug77753.phpt b/ext/exif/tests/bug77753.phpt new file mode 100644 index 0000000000..d987a5cf46 --- /dev/null +++ b/ext/exif/tests/bug77753.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #77753 (Heap-buffer-overflow in php_ifd_get32s) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +var_dump(exif_read_data(__DIR__."/bug77753.tiff")); +?> +DONE +--EXPECTF-- +%A +Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d + +Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d +bool(false) +DONE
\ No newline at end of file diff --git a/ext/exif/tests/bug77753.tiff b/ext/exif/tests/bug77753.tiff Binary files differnew file mode 100644 index 0000000000..b237f39e2b --- /dev/null +++ b/ext/exif/tests/bug77753.tiff |