Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3: Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
author: Stanislav Malyshev <stas@php.net> 2019-03-31 23:10:04 -0700
committer: Stanislav Malyshev <stas@php.net> 2019-03-31 23:10:04 -0700
commit: f45e7861efd4b3cccc0df77ec9fb20aaa60010b6 (patch)
tree: b09a8adcde0027c6249d3aad7a7e123737cba2b8 /ext/exif/exif.c
parent: 1686c3fa47155d9c3884726b2ade4dede2eeb99f (diff)
parent: 9efaac30aeff82a61a015f4de53eb1ece2d93d61 (diff)
download: php-git-f45e7861efd4b3cccc0df77ec9fb20aaa60010b6.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 74821944d6..12f42fd2bd 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3188,6 +3188,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
 		return FALSE;
 	}
+	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
+		return FALSE;
+	}
 
 	for (de=0;de<NumDirEntries;de++) {
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
author	Stanislav Malyshev <stas@php.net>	2019-03-31 23:10:04 -0700
committer	Stanislav Malyshev <stas@php.net>	2019-03-31 23:10:04 -0700
commit	f45e7861efd4b3cccc0df77ec9fb20aaa60010b6 (patch)
tree	b09a8adcde0027c6249d3aad7a7e123737cba2b8 /ext/exif/exif.c
parent	1686c3fa47155d9c3884726b2ade4dede2eeb99f (diff)
parent	9efaac30aeff82a61a015f4de53eb1ece2d93d61 (diff)
download	php-git-f45e7861efd4b3cccc0df77ec9fb20aaa60010b6.tar.gz