clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 18:07:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #60150 (Integer overflow during the parsing of invalid exif header)

Browse Source
This commit is contained in:
Stanislav Malyshev 2011-11-19 04:41:03 +00:00
parent 1a30e9dd33
commit 5ebfe19ac6
4 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -13,6 +13,10 @@ PHP NEWS
. Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup())
(CVE-2011-4153). (Stas)
- EXIF:
. Fixed bu #60150 (Integer overflow during the parsing of invalid exif
header). (Stas, flolechaud at gmail dot com)
- MS SQL:
. Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)

4
ext/exif/exif.c
View File

@ -2850,11 +2850,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an offset. */
value_ptr = offset_base+offset_val;
if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
/* It is important to check for IMAGE_FILETYPE_TIFF
* JPEG does not use absolute pointers instead its pointers are
* relative to the start of the TIFF header in APP1 section. */
if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */

BIN
ext/exif/tests/bug60150.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

21
ext/exif/tests/bug60150.phpt Executable file
View File

@ -0,0 +1,21 @@
--TEST--
Bug #34704 (Integer overflow during the parsing of invalid exif header)
--SKIPIF--
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
--INI--
output_handler=
zlib.output_compression=0
--FILE--
<?php
$infile = dirname(__FILE__).'/bug60150.jpg';
var_dump(exif_read_data($infile));
?>
===DONE===
--EXPECTF--
Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal pointer offset(x%x + x%x = x%x > x%x) in %s on line %d
Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) != itemlen-%d=x%x(=%d) in %s on line %d
Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d
bool(false)
===DONE===