Merge branch 'bug68799' into PHP-5.4

* bug68799: Fix bug #68799: Free called on unitialized pointer
2024-09-24 03:17:26 +00:00 · 2015-01-20 00:57:55 -08:00 · 2015-01-20 00:57:55 -08:00 · fc6aa939f5
commit fc6aa939f5
parent 0a76610459 2fc178cf44
4 changed files with 68 additions and 2 deletions
--- a/5
+++ b/5
@ -2,7 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20?? PHP 5.4.37
 - CGI:
-  . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
+  . Fixed bug #68618 (out of bounds read crashes php-cgi). (Stas)
+
+- EXIF:
+  . Fix bug #68799: Free called on unitialized pointer. (CVE-2015-0232) (Stas)

 - Fileinfo:
  . Removed readelf.c and related code from libmagic sources
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;	
-	
+	xp_field->value = NULL;
 	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value, 
--- a/ext/exif/tests/bug68799.jpg
+++ b/ext/exif/tests/bug68799.jpg
--- a/ext/exif/tests/bug68799.phpt
+++ b/ext/exif/tests/bug68799.phpt
@ -0,0 +1,63 @@
+--TEST--
+Bug #68799 (Free called on unitialized pointer)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+/*
+* Pollute the heap. Helps trigger bug. Sometimes not needed.
+*/
+class A {
+    function __construct() {
+        $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
+        $this->a = $a . $a . $a . $a . $a . $a;
+    }
+};
+
+function doStuff ($limit) {
+
+    $a = new A;
+
+    $b = array();
+    for ($i = 0; $i < $limit; $i++) {
+        $b[$i] = clone $a;
+    }
+
+    unset($a);
+
+    gc_collect_cycles();
+}
+
+$iterations = 3;
+
+doStuff($iterations);
+doStuff($iterations);
+
+gc_collect_cycles();
+
+print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
+
+?>
+--EXPECTF--
+Array
+(
+    [FileName] => bug68799.jpg
+    [FileDateTime] => %d
+    [FileSize] => 735
+    [FileType] => 2
+    [MimeType] => image/jpeg
+    [SectionsFound] => ANY_TAG, IFD0, WINXP
+    [COMPUTED] => Array
+        (
+            [html] => width="1" height="1"
+            [Height] => 1
+            [Width] => 1
+            [IsColor] => 1
+            [ByteOrderMotorola] => 1
+        )
+
+    [XResolution] => 96/1
+    [YResolution] => 96/1
+    [ResolutionUnit] => 2
+    [Author] => 
+)