1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
Without test as binary patch not supported
From 1f2fdcd9a2471e6fac220ec2e7a2ca56b7879113 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 2 Apr 2019 00:12:26 -0700
Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value
in EXIF
(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4)
---
NEWS | 4 ++++
ext/exif/exif.c | 43 +++++++++++++++++++++++------------
ext/exif/tests/bug77831.phpt | 13 +++++++++++
ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes
4 files changed, 45 insertions(+), 15 deletions(-)
create mode 100644 ext/exif/tests/bug77831.phpt
create mode 100644 ext/exif/tests/bug77831.tiff
diff --git a/NEWS b/NEWS
index 0bff457d2b..0dde9880d5 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,10 @@ PHP NEWS
Backported from 7.1.28
+- EXIF:
+ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
+ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
+
- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 4350124305..547bd58dfb 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1660,10 +1660,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
/* {{{ exif_iif_add_value
Add a value to image_info
*/
-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel TSRMLS_DC)
+static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel TSRMLS_DC)
{
size_t idex;
- void *vptr;
+ void *vptr, *vptr_end;
image_info_value *info_value;
image_info_data *info_data;
image_info_data *list;
@@ -1685,8 +1685,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
switch (format) {
case TAG_FMT_STRING:
+ if (length > value_len) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
+ value = NULL;
+ }
if (value) {
- length = php_strnlen(value, length);
+ length = (int)php_strnlen(value, length);
info_value->s = estrndup(value, length);
info_data->length = length;
} else {
@@ -1708,6 +1712,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
if (!length)
break;
case TAG_FMT_UNDEFINED:
+ if (length > value_len) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
+ value = NULL;
+ }
if (value) {
if (tag == TAG_MAKER_NOTE) {
length = (int) php_strnlen(value, length);
@@ -1738,7 +1746,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
} else {
info_value = &info_data->value;
}
+ vptr_end = value+value_len;
for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ break;
+ }
if (length>1) {
info_value = &info_data->value.list[idex];
}
@@ -1774,7 +1787,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type single");
#endif
info_value->f = *(float *)value;
-
+ break;
case TAG_FMT_DOUBLE:
#ifdef EXIF_DEBUG
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type double");
@@ -1792,9 +1805,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
/* {{{ exif_iif_add_tag
Add a tag from IFD to image_info
*/
-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC)
+static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len TSRMLS_DC)
{
- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel TSRMLS_CC);
+ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel TSRMLS_CC);
}
/* }}} */
@@ -2218,7 +2231,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
*/
static void exif_process_COM (image_info_type *image_info, char *value, size_t length TSRMLS_DC)
{
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2 TSRMLS_CC);
}
/* }}} */
@@ -2233,17 +2246,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
if (length>3) {
switch(value[2]) {
case 0:
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length TSRMLS_CC);
break;
case 1:
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
break;
default:
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Undefined JPEG2000 comment encoding");
break;
}
} else {
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0 TSRMLS_CC);
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "JPEG2000 comment section too small");
}
}
@@ -2837,7 +2850,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table TSRMLS_DC)
{
size_t length;
- int tag, format, components;
+ unsigned int tag, format, components;
char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
size_t byte_count, offset_val, fpos, fgot;
int64_t byte_count_signed;
@@ -3148,7 +3161,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
}
}
}
- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC);
+ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr, byte_count TSRMLS_CC);
EFREE_IF(outside);
return TRUE;
}
@@ -3306,10 +3319,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
size_t l1, l2=0;
if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
+ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1 TSRMLS_CC);
if (length > 2+l1+1) {
l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
+ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2 TSRMLS_CC);
}
}
#ifdef EXIF_DEBUG
@@ -4107,7 +4120,7 @@ PHP_FUNCTION(exif_read_data)
if (ImageInfo.Thumbnail.size) {
if (read_thumbnail) {
/* not exif_iif_add_str : this is a buffer */
- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC);
+ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size TSRMLS_CC);
}
if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
/* try to evaluate if thumbnail data is present */
From 8b4b035dcd3f382e9de4e2f661df2dc0797fc478 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 2 Apr 2019 10:37:40 +0200
Subject: [PATCH] Pointer arithmetic on void pointers is illegal
We quick-fix this by casting to char*; it might be more appropriate to
use char pointers in the first place.
(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
---
ext/exif/exif.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 547bd58dfb..81cf438a8e 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1746,9 +1746,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
} else {
info_value = &info_data->value;
}
- vptr_end = value+value_len;
+ vptr_end = (char *) value + value_len;
for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
- if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
+ if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {
exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
break;
}
|