summaryrefslogtreecommitdiffstats
path: root/php-bug78256.patch
blob: 553bcac945ab614dd6cc729ff96b7d327fb82111 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Without test as binary patch not supported




From 63c0ed60c2b5580b1542690d52d4a26401342563 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 7 Jul 2019 17:39:59 -0700
Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
 exif_process_user_comment)

(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)
---
 ext/exif/exif.c              |   6 +++---
 ext/exif/tests/bug78256.jpg  | Bin 0 -> 69 bytes
 ext/exif/tests/bug78256.phpt |  11 +++++++++++
 3 files changed, 14 insertions(+), 3 deletions(-)
 create mode 100644 ext/exif/tests/bug78256.jpg
 create mode 100644 ext/exif/tests/bug78256.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index a5fa0b8fb0..ec362f7e6d 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2628,7 +2628,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 {
 	int   a;
 	char  *decode;
-	size_t len;;
+	size_t len;
 
 	*pszEncoding = NULL;
 	/* Copy the comment */
@@ -2641,11 +2641,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
 			 * since we have no encoding support for the BOM yet we skip that.
 			 */
-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
 				decode = "UCS-2BE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
 				decode = "UCS-2LE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;