Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2: Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
author: Stanislav Malyshev <stas@php.net> 2019-03-31 23:09:57 -0700
committer: Stanislav Malyshev <stas@php.net> 2019-03-31 23:09:57 -0700
commit: 9efaac30aeff82a61a015f4de53eb1ece2d93d61 (patch)
tree: 0263df05b007fd5c66d09571cb0fe7257bab29f6 /ext/exif/exif.c
parent: d8b7728b0e1306ccdfc346beaee8091abd930c03 (diff)
parent: f3ab302270b31f260e96126e805fa931b666727a (diff)
download: php-git-9efaac30aeff82a61a015f4de53eb1ece2d93d61.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 1b7d0cc462..5b12922a76 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3188,6 +3188,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
 		return FALSE;
 	}
+	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
+		return FALSE;
+	}
 
 	for (de=0;de<NumDirEntries;de++) {
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
author	Stanislav Malyshev <stas@php.net>	2019-03-31 23:09:57 -0700
committer	Stanislav Malyshev <stas@php.net>	2019-03-31 23:09:57 -0700
commit	9efaac30aeff82a61a015f4de53eb1ece2d93d61 (patch)
tree	0263df05b007fd5c66d09571cb0fe7257bab29f6 /ext/exif/exif.c
parent	d8b7728b0e1306ccdfc346beaee8091abd930c03 (diff)
parent	f3ab302270b31f260e96126e805fa931b666727a (diff)
download	php-git-9efaac30aeff82a61a015f4de53eb1ece2d93d61.tar.gz