summaryrefslogtreecommitdiffstats
path: root/bug72094.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug72094.patch')
-rw-r--r--bug72094.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/bug72094.patch b/bug72094.patch
new file mode 100644
index 0000000..2fa4df7
--- /dev/null
+++ b/bug72094.patch
@@ -0,0 +1,75 @@
+Backported for 5.4 from 5.5.35 by Remi Collet
+Binary diff removed
+
+From 082aecfc3a753ad03be82cf14f03ac065723ec92 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 24 Apr 2016 19:33:52 -0700
+Subject: [PATCH] Fix bug #72094 - Out of bounds heap read access in exif
+ header processing
+
+---
+ ext/exif/exif.c | 17 ++++++++++--
+ ext/exif/tests/bug72094.phpt | 61 ++++++++++++++++++++++++++++++++++++++++++
+ ext/exif/tests/bug72094_1.jpg | Bin 0 -> 140 bytes
+ ext/exif/tests/bug72094_2.jpg | Bin 0 -> 140 bytes
+ ext/exif/tests/bug72094_3.jpg | Bin 0 -> 112 bytes
+ ext/exif/tests/bug72094_4.jpg | Bin 0 -> 32 bytes
+ 6 files changed, 76 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug72094.phpt
+ create mode 100644 ext/exif/tests/bug72094_1.jpg
+ create mode 100644 ext/exif/tests/bug72094_2.jpg
+ create mode 100644 ext/exif/tests/bug72094_3.jpg
+ create mode 100644 ext/exif/tests/bug72094_4.jpg
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index ff29fdd..f366acc 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2965,7 +2965,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ /* When there are any characters after the first NUL */
+ ImageInfo->CopyrightPhotographer = estrdup(value_ptr);
+ ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1);
+- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1);
++ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);
+ /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */
+ /* but we are not supposed to change this */
+ /* keep in mind that image_info does not store editor value */
+@@ -3134,6 +3134,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
+
+ ImageInfo->sections_found |= FOUND_IFD0;
+
++ if ((dir_start + 2) >= (offset_base+IFDlength)) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
++ return FALSE;
++ }
++
+ NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
+
+ if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) {
+@@ -3157,6 +3162,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
+ * Hack to make it process IDF1 I hope
+ * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
+ */
++ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
++ return FALSE;
++ }
+ NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
+ if (NextDirOffset) {
+ /* the next line seems false but here IFDlength means length of all IFDs */
+@@ -3206,9 +3215,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
+ }
+
+ /* Check the next two values for correctness. */
++ if (length < 8) {
++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
++ return;
++ }
+ exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel);
+ offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel);
+- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
++ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
+ return;
+ }
+