From aeb6d13185a2ea4f1496ede2697469faed98ce05 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 7 Jul 2019 17:39:59 -0700 Subject: Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment) --- ext/exif/exif.c | 6 +++--- ext/exif/tests/bug78256.jpg | Bin 0 -> 69 bytes ext/exif/tests/bug78256.phpt | 11 +++++++++++ 3 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 ext/exif/tests/bug78256.jpg create mode 100644 ext/exif/tests/bug78256.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index cd7975a9f5..77e4427b48 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2619,7 +2619,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP { int a; char *decode; - size_t len;; + size_t len; *pszEncoding = NULL; /* Copy the comment */ @@ -2632,11 +2632,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) * since we have no encoding support for the BOM yet we skip that. */ - if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { + if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) { decode = "UCS-2BE"; szValuePtr = szValuePtr+2; ByteCount -= 2; - } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { + } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) { decode = "UCS-2LE"; szValuePtr = szValuePtr+2; ByteCount -= 2; diff --git a/ext/exif/tests/bug78256.jpg b/ext/exif/tests/bug78256.jpg new file mode 100644 index 0000000000..56bf672629 Binary files /dev/null and b/ext/exif/tests/bug78256.jpg differ diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt new file mode 100644 index 0000000000..37a3f1d824 --- /dev/null +++ b/ext/exif/tests/bug78256.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #78256 (heap-buffer-overflow on exif_process_user_comment) +--SKIPIF-- + +--FILE-- + +DONE +--EXPECTF-- +DONE \ No newline at end of file -- cgit v1.2.1