summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2019-05-27 17:16:29 -0700
committerStanislav Malyshev <stas@php.net>2019-05-27 17:28:09 -0700
commit73ff4193be24192c894dc0502d06e2b2db35eefb (patch)
treea40f2b90be0e1b2695eaf8f84ec059bf4f9879f9
parent16e037bd46359a31f218ee220ff09f1c3270e489 (diff)
downloadphp-git-73ff4193be24192c894dc0502d06e2b2db35eefb.tar.gz
Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
Diffstat
-rw-r--r--NEWS8
-rw-r--r--ext/exif/exif.c2
-rw-r--r--ext/exif/tests/bug77988.jpgbin0 -> 1202 bytes
-rw-r--r--ext/exif/tests/bug77988.phpt11
4 files changed, 19 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index ea27c53d56..f771d2092c 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2019, PHP 7.1.30
+- EXIF:
+ . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16).
+ (CVE-2019-11040) (Stas)
+
- GD:
. Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
(CVE-2019-11038) (cmb)
@@ -12,11 +16,11 @@ PHP NEWS
03 May 2019, PHP 7.1.29
-- EXIF
+- EXIF:
. Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG).
(CVE-2019-11036) (Stas)
-- Mail
+- Mail:
. Fixed bug #77821 (Potential heap corruption in TSendMail()). (cmb)
04 Apr 2019, PHP 7.1.28
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index d174def80c..605b37923f 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3526,6 +3526,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
if (c == 0xFF)
return FALSE;
marker = c;
+ if (pos>=ImageInfo->Thumbnail.size)
+ return FALSE;
length = php_jpg_get16(data+pos);
if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
return FALSE;
diff --git a/ext/exif/tests/bug77988.jpg b/ext/exif/tests/bug77988.jpg
new file mode 100644
index 0000000000..120ff8565a
--- /dev/null
+++ b/ext/exif/tests/bug77988.jpg
Binary files differ
diff --git a/ext/exif/tests/bug77988.phpt b/ext/exif/tests/bug77988.phpt
new file mode 100644
index 0000000000..1632c8afaa
--- /dev/null
+++ b/ext/exif/tests/bug77988.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #77988 (heap-buffer-overflow on php_jpg_get16)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__."/bug77988.jpg", 'COMMENT', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE \ No newline at end of file
View Lorry Controller Status