mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Fix bug #60150 (Integer overflow during the parsing of invalid exif header)
This commit is contained in:
parent
1a30e9dd33
commit
5ebfe19ac6
4
NEWS
4
NEWS
@ -13,6 +13,10 @@ PHP NEWS
|
||||
. Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup())
|
||||
(CVE-2011-4153). (Stas)
|
||||
|
||||
- EXIF:
|
||||
. Fixed bu #60150 (Integer overflow during the parsing of invalid exif
|
||||
header). (Stas, flolechaud at gmail dot com)
|
||||
|
||||
- MS SQL:
|
||||
. Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
|
||||
|
||||
|
@ -2850,11 +2850,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
|
||||
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
|
||||
/* If its bigger than 4 bytes, the dir entry contains an offset. */
|
||||
value_ptr = offset_base+offset_val;
|
||||
if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
|
||||
if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
|
||||
/* It is important to check for IMAGE_FILETYPE_TIFF
|
||||
* JPEG does not use absolute pointers instead its pointers are
|
||||
* relative to the start of the TIFF header in APP1 section. */
|
||||
if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
|
||||
if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
|
||||
if (value_ptr < dir_entry) {
|
||||
/* we can read this if offset_val > 0 */
|
||||
/* some files have their values in other parts of the file */
|
||||
|
BIN
ext/exif/tests/bug60150.jpg
Normal file
BIN
ext/exif/tests/bug60150.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 119 KiB |
21
ext/exif/tests/bug60150.phpt
Executable file
21
ext/exif/tests/bug60150.phpt
Executable file
@ -0,0 +1,21 @@
|
||||
--TEST--
|
||||
Bug #34704 (Integer overflow during the parsing of invalid exif header)
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
|
||||
--INI--
|
||||
output_handler=
|
||||
zlib.output_compression=0
|
||||
--FILE--
|
||||
<?php
|
||||
$infile = dirname(__FILE__).'/bug60150.jpg';
|
||||
var_dump(exif_read_data($infile));
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal pointer offset(x%x + x%x = x%x > x%x) in %s on line %d
|
||||
|
||||
Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) != itemlen-%d=x%x(=%d) in %s on line %d
|
||||
|
||||
Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d
|
||||
bool(false)
|
||||
===DONE===
|
Loading…
Reference in New Issue
Block a user