mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Fix bug #77950 - Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG
I do not completely understand what is going on there, but I am pretty sure dir_entry <= offset_base if not a normal situation, so we better not to rely on such dir_entry.
This commit is contained in:
parent
6c631ccfef
commit
f80ad18afa
11
NEWS
11
NEWS
@ -2,13 +2,20 @@ PHP NEWS
|
||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? 2019, PHP 7.1.29
|
||||
|
||||
- EXIF
|
||||
. Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG).
|
||||
(CVE-2019-11036) (Stas)
|
||||
|
||||
- Mail
|
||||
. Fixed bug #77821 (Potential heap corruption in TSendMail()). (cmb)
|
||||
|
||||
04 Apr 2019, PHP 7.1.28
|
||||
|
||||
- EXIF:
|
||||
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
|
||||
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
|
||||
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
|
||||
(Stas)
|
||||
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
|
||||
(CVE-2019-11035) (Stas)
|
||||
|
||||
- SQLite3:
|
||||
. Added sqlite3.defensive INI directive. (BohwaZ)
|
||||
|
@ -2891,7 +2891,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
|
||||
offset_base is ImageInfo->file.list[sn].data-dir_offset
|
||||
dir_entry - offset_base is dir_offset+2+i*12
|
||||
*/
|
||||
if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
|
||||
if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) {
|
||||
/* It is important to check for IMAGE_FILETYPE_TIFF
|
||||
* JPEG does not use absolute pointers instead its pointers are
|
||||
* relative to the start of the TIFF header in APP1 section. */
|
||||
|
12
ext/exif/tests/bug77950.phpt
Normal file
12
ext/exif/tests/bug77950.phpt
Normal file
@ -0,0 +1,12 @@
|
||||
--TEST--
|
||||
Bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG)
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
|
||||
--FILE--
|
||||
<?php
|
||||
exif_read_data(__DIR__."/bug77950.tiff");
|
||||
?>
|
||||
DONE
|
||||
--EXPECTF--
|
||||
%A
|
||||
DONE
|
BIN
ext/exif/tests/bug77950.tiff
Normal file
BIN
ext/exif/tests/bug77950.tiff
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user