diff options
Diffstat (limited to 'php-bug78793.patch')
-rw-r--r-- | php-bug78793.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/php-bug78793.patch b/php-bug78793.patch new file mode 100644 index 0000000..21d7a1d --- /dev/null +++ b/php-bug78793.patch @@ -0,0 +1,62 @@ +From f71d4343a205d820e35a815d298a9bb3e92d49cd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 16 Dec 2019 01:14:38 -0800 +Subject: [PATCH] Fix bug #78793 + +(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba) +--- + NEWS | 4 ++++ + ext/exif/exif.c | 5 +++-- + ext/exif/tests/bug78793.phpt | 12 ++++++++++++ + 3 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug78793.phpt + +diff --git a/NEWS b/NEWS +index 39a2f43818..723cc69be6 100644 +--- a/NEWS ++++ b/NEWS +@@ -13,6 +13,10 @@ Backported from 7.2.26 + . Fixed bug #78863 (DirectoryIterator class silently truncates after a null + byte). (CVE-2019-11045). (cmb) + ++- EXIF: ++ . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). ++ (CVE-2019-11050). (Nikita) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 3f8dd907dc..a7da928800 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2820,8 +2820,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + } + + for (de=0;de<NumDirEntries;de++) { +- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, +- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) { ++ size_t offset = 2 + 12 * de; ++ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, ++ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) { + return FALSE; + } + } +diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt +new file mode 100644 +index 0000000000..033f255ace +--- /dev/null ++++ b/ext/exif/tests/bug78793.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #78793: Use-after-free in exif parsing under memory sanitizer ++--FILE-- ++<?php ++$f = "ext/exif/tests/bug77950.tiff"; ++for ($i = 0; $i < 10; $i++) { ++ @exif_read_data($f); ++} ++?> ++===DONE=== ++--EXPECT-- ++===DONE=== |