From 2f649ee4cbea50aaf88ae480ecfe36651dd135a2 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 22 Jul 2016 19:29:20 +0200 Subject: PHP 5.4.45 with security fix from 5.5.38 --- bug72618.patch | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 bug72618.patch (limited to 'bug72618.patch') diff --git a/bug72618.patch b/bug72618.patch new file mode 100644 index 0000000..04814ab --- /dev/null +++ b/bug72618.patch @@ -0,0 +1,110 @@ +Adapted for 5.4, by Remi Collet, binary patch removed, from: + + +From 41131cd41d2fd2e0c2f332a27988df75659c42e4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 18 Jul 2016 23:21:51 -0700 +Subject: [PATCH] Fix bug #72618: NULL Pointer Dereference in + exif_process_user_comment + +--- + ext/exif/exif.c | 17 +++++++++++------ + ext/exif/tests/bug72618.jpg | Bin 0 -> 3711 bytes + ext/exif/tests/bug72618.phpt | 11 +++++++++++ + 3 files changed, 22 insertions(+), 6 deletions(-) + create mode 100644 ext/exif/tests/bug72618.jpg + create mode 100644 ext/exif/tests/bug72618.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 760e746..74b652b 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + *pszEncoding = NULL; + /* Copy the comment */ + if (ByteCount>=8) { ++ const zend_encoding *from, *to; + if (!memcmp(szValuePtr, "UNICODE\0", 8)) { + *pszEncoding = estrdup((const char*)szValuePtr); + szValuePtr = szValuePtr+8; +@@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + } else { + decode = ImageInfo->decode_unicode_le; + } ++ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC); ++ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC); + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ +- if (zend_multibyte_encoding_converter( ++ if (!to || !from || zend_multibyte_encoding_converter( + (unsigned char**)pszInfoPtr, + &len, + (unsigned char*)szValuePtr, + ByteCount, +- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), +- zend_multibyte_fetch_encoding(decode TSRMLS_CC) ++ to, ++ from + TSRMLS_CC) == (size_t)-1) { + len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); + } +@@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + szValuePtr = szValuePtr+8; + ByteCount -= 8; + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ +- if (zend_multibyte_encoding_converter( ++ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC); ++ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC); ++ if (!to || !from || zend_multibyte_encoding_converter( + (unsigned char**)pszInfoPtr, + &len, + (unsigned char*)szValuePtr, + ByteCount, +- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), +- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) ++ to, ++ from + TSRMLS_CC) == (size_t)-1) { + len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); + } + +From 1364742be9757e594fd1b203d45805106ecd31c7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 18 Jul 2016 23:30:51 -0700 +Subject: [PATCH] Fix tests + +--- + ext/exif/tests/bug54002.phpt | 6 +----- + ext/exif/tests/bug62523_2.phpt | 6 ++++-- + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt +index c51fa58..8f85339 100644 +--- a/ext/exif/tests/bug54002.phpt ++++ b/ext/exif/tests/bug54002.phpt +@@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg'); + --EXPECTF-- + Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d + +-Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d +- +-Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d +- +-Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d ++Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d +\ No newline at end of file +diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt +index ddc8ae8..c533d42 100644 +--- a/ext/exif/tests/bug62523_2.phpt ++++ b/ext/exif/tests/bug62523_2.phpt +@@ -10,7 +10,9 @@ echo "Test\n"; + var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg"))); + ?> + Done +---EXPECT-- ++--EXPECTF-- + Test +-int(76) ++ ++Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s/bug62523_2.php on line %d ++int(30) + Done -- cgit