From 05daae53dc5973acafcaf058685d3766c8505d63 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 30 Jul 2019 12:13:26 +0200 Subject: - exif: Fix #78256 heap-buffer-overflow on exif_process_user_comment CVE-2019-11042 Fix #78222 heap-buffer-overflow on exif_scan_thumbnail CVE-2019-11041 - phar: Fix #77919 Potential UAF in Phar RSHUTDOWN --- php-bug78256.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 php-bug78256.patch (limited to 'php-bug78256.patch') diff --git a/php-bug78256.patch b/php-bug78256.patch new file mode 100644 index 0000000..f4e4232 --- /dev/null +++ b/php-bug78256.patch @@ -0,0 +1,47 @@ +Without test as binary patch not supported + + + + +From 3174fd02078cd9cfd21dc1256adbb1cf8a6cb973 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Jul 2019 17:39:59 -0700 +Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on + exif_process_user_comment) + +(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05) +--- + ext/exif/exif.c | 6 +++--- + ext/exif/tests/bug78256.jpg | Bin 0 -> 69 bytes + ext/exif/tests/bug78256.phpt | 11 +++++++++++ + 3 files changed, 14 insertions(+), 3 deletions(-) + create mode 100644 ext/exif/tests/bug78256.jpg + create mode 100644 ext/exif/tests/bug78256.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 8b379bbb7f..3f8dd907dc 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2619,7 +2619,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + { + int a; + char *decode; +- size_t len;; ++ size_t len; + + *pszEncoding = NULL; + /* Copy the comment */ +@@ -2632,11 +2632,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) + * since we have no encoding support for the BOM yet we skip that. + */ +- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { ++ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) { + decode = "UCS-2BE"; + szValuePtr = szValuePtr+2; + ByteCount -= 2; +- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { ++ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) { + decode = "UCS-2LE"; + szValuePtr = szValuePtr+2; + ByteCount -= 2; -- cgit