summaryrefslogtreecommitdiffstats
path: root/bug72603.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug72603.patch')
-rw-r--r--bug72603.patch76
1 files changed, 76 insertions, 0 deletions
diff --git a/bug72603.patch b/bug72603.patch
new file mode 100644
index 0000000..91d7965
--- /dev/null
+++ b/bug72603.patch
@@ -0,0 +1,76 @@
+Adapted for 5.4, by Remi Collet, binary patch removed, from:
+
+
+From eebcbd5de38a0f1c2876035402cb770e37476519 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 17 Jul 2016 16:34:21 -0700
+Subject: [PATCH] Fix bug #72603: Out of bound read in
+ exif_process_IFD_in_MAKERNOTE
+
+---
+ ext/exif/exif.c | 22 ++++++++++++++++++++--
+ ext/exif/tests/bug72603.jpeg | Bin 0 -> 3711 bytes
+ ext/exif/tests/bug72603.phpt | 11 +++++++++++
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug72603.jpeg
+ create mode 100644 ext/exif/tests/bug72603.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f366acc..760e746 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2742,6 +2742,12 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ break;
+ }
+
++ if (maker_note->offset >= value_len) {
++ /* Do not go past the value end */
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
++ return FALSE;
++ }
++
+ dir_start = value_ptr + maker_note->offset;
+
+ #ifdef EXIF_DEBUG
+@@ -2770,10 +2776,19 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ offset_base = value_ptr;
+ break;
+ case MN_OFFSET_GUESS:
++ if (maker_note->offset + 10 + 4 >= value_len) {
++ /* Can not read dir_start+10 since it's beyond value end */
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X", value_len);
++ return FALSE;
++ }
+ offset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Using automatic offset correction: 0x%04X", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);
+ #endif
++ if (offset_diff < 0 || offset_diff >= value_len ) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data bad offset: 0x%04X length 0x%04X", offset_diff, value_len);
++ return FALSE;
++ }
+ offset_base = value_ptr + offset_diff;
+ break;
+ default:
+@@ -2782,7 +2797,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ }
+
+ if ((2+NumDirEntries*12) > value_len) {
+- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ return FALSE;
+ }
+
+@@ -3068,7 +3083,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ break;
+
+ case TAG_MAKER_NOTE:
+- exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC);
++ if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC)) {
++ EFREE_IF(outside);
++ return FALSE;
++ }
+ break;
+
+ case TAG_EXIF_IFD_POINTER:
+