diff options
author | Stanislav Malyshev <stas@php.net> | 2019-07-07 17:39:59 -0700 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-07-30 09:13:03 +0200 |
commit | e648fa4699e8d072db6db34fcc09826e8127fab8 (patch) | |
tree | 1c6b15ff16ff097f36e03ef8ff22b09d7e4eed2f | |
parent | f22101c8308669bb63c03a73a2cac2408d844f38 (diff) | |
download | php-git-e648fa4699e8d072db6db34fcc09826e8127fab8.tar.gz |
Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/exif/exif.c | 4 | ||||
-rw-r--r-- | ext/exif/tests/bug78256.jpg | bin | 0 -> 69 bytes | |||
-rw-r--r-- | ext/exif/tests/bug78256.phpt | 11 |
4 files changed, 15 insertions, 2 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? ????, PHP 7.3.8 - EXIF: + . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). + (CVE-2019-11042) (Stas) . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) (Stas) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index aa272c1d2b..3e005b5727 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3015,11 +3015,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) * since we have no encoding support for the BOM yet we skip that. */ - if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { + if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) { decode = "UCS-2BE"; szValuePtr = szValuePtr+2; ByteCount -= 2; - } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { + } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) { decode = "UCS-2LE"; szValuePtr = szValuePtr+2; ByteCount -= 2; diff --git a/ext/exif/tests/bug78256.jpg b/ext/exif/tests/bug78256.jpg Binary files differnew file mode 100644 index 0000000000..56bf672629 --- /dev/null +++ b/ext/exif/tests/bug78256.jpg diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt new file mode 100644 index 0000000000..37a3f1d824 --- /dev/null +++ b/ext/exif/tests/bug78256.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #78256 (heap-buffer-overflow on exif_process_user_comment) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE); +?> +DONE +--EXPECTF-- +DONE
\ No newline at end of file |