pajoye Mon, 14 Feb 2011 09:08:44 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=308316
Log: - fix bug #54002, exif_read_data crashes on crafted tags Bug: http://bugs.php.net/54002 (error getting bug information) Changed paths: U php/php-src/branches/PHP_5_3/ext/exif/exif.c A php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002.phpt A php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002_1.jpeg A php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002_2.jpeg U php/php-src/trunk/ext/exif/exif.c A php/php-src/trunk/ext/exif/tests/bug54002.phpt A php/php-src/trunk/ext/exif/tests/bug54002_1.jpeg A php/php-src/trunk/ext/exif/tests/bug54002_2.jpeg Modified: php/php-src/branches/PHP_5_3/ext/exif/exif.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/exif/exif.c 2011-02-14 08:46:53 UTC (rev 308315) +++ php/php-src/branches/PHP_5_3/ext/exif/exif.c 2011-02-14 09:08:44 UTC (rev 308316) @@ -40,6 +40,10 @@ #include "php.h" #include "ext/standard/file.h" +#ifdef PHP_WIN32 +include "win32/php_stdint.h" +#endif + #if HAVE_EXIF /* When EXIF_DEBUG is defined the module generates a lot of debug messages @@ -2821,6 +2825,7 @@ int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; xp_field_type *tmp_xp; #ifdef EXIF_DEBUG char *dump_data; @@ -2845,13 +2850,20 @@ /*return TRUE;*/ } - byte_count = components * php_tiff_bytes_per_format[format]; + if (components < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } - if ((ssize_t)byte_count < 0) { + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); return FALSE; } + byte_count = (size_t)byte_count_signed; + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2916,6 +2928,7 @@ efree(dump_data); } #endif + if (section_index==SECTION_THUMBNAIL) { if (!ImageInfo->Thumbnail.data) { switch(tag) { Added: php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002.phpt 2011-02-14 09:08:44 UTC (rev 308316) @@ -0,0 +1,20 @@ +--TEST-- +Bug #54002 (crash on crafted tag) +--INI-- +memory_limit=-1 +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug54002_1.jpeg'); +exif_read_data(__DIR__ . '/bug54002_2.jpeg'); + +?> +--EXPECTF-- +Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(8) in %sbug54002.php on line %d + +Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d + +Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(8) in %sbug54002.php on line %d + +Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d Added: php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002_1.jpeg =================================================================== (Binary files differ) Property changes on: php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002_1.jpeg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002_2.jpeg =================================================================== (Binary files differ) Property changes on: php/php-src/branches/PHP_5_3/ext/exif/tests/bug54002_2.jpeg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Modified: php/php-src/trunk/ext/exif/exif.c =================================================================== --- php/php-src/trunk/ext/exif/exif.c 2011-02-14 08:46:53 UTC (rev 308315) +++ php/php-src/trunk/ext/exif/exif.c 2011-02-14 09:08:44 UTC (rev 308316) @@ -40,6 +40,10 @@ #include "php.h" #include "ext/standard/file.h" +#ifdef PHP_WIN32 +include "win32/php_stdint.h" +#endif + #if HAVE_EXIF /* When EXIF_DEBUG is defined the module generates a lot of debug messages @@ -2817,6 +2821,7 @@ int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; xp_field_type *tmp_xp; #ifdef EXIF_DEBUG char *dump_data; @@ -2841,13 +2846,19 @@ /*return TRUE;*/ } - byte_count = components * php_tiff_bytes_per_format[format]; + if (components < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; - if ((ssize_t)byte_count < 0) { + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); return FALSE; } + byte_count = (size_t)byte_count_signed; + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2912,6 +2923,7 @@ efree(dump_data); } #endif + if (section_index==SECTION_THUMBNAIL) { if (!ImageInfo->Thumbnail.data) { switch(tag) { Added: php/php-src/trunk/ext/exif/tests/bug54002.phpt =================================================================== --- php/php-src/trunk/ext/exif/tests/bug54002.phpt (rev 0) +++ php/php-src/trunk/ext/exif/tests/bug54002.phpt 2011-02-14 09:08:44 UTC (rev 308316) @@ -0,0 +1,20 @@ +--TEST-- +Bug #54002 (crash on crafted tag) +--INI-- +memory_limit=-1 +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug54002_1.jpeg'); +exif_read_data(__DIR__ . '/bug54002_2.jpeg'); + +?> +--EXPECTF-- +Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(%d) in %sbug54002.php on line %d + +Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d + +Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(%d) in %sbug54002.php on line %d + +Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d Added: php/php-src/trunk/ext/exif/tests/bug54002_1.jpeg =================================================================== (Binary files differ) Property changes on: php/php-src/trunk/ext/exif/tests/bug54002_1.jpeg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: php/php-src/trunk/ext/exif/tests/bug54002_2.jpeg =================================================================== (Binary files differ) Property changes on: php/php-src/trunk/ext/exif/tests/bug54002_2.jpeg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
![[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/exif/exif.c branches/PHP_5_3/ext/exif/tests/bug54002.phpt branches/PHP_5_3/ext/exif/tests/bug54002_1.jpeg branches/PHP_5_3/ext/exif/tests/bug54002_2.jpeg trunk/ext/exif/exif.c trunk/ext/exif/tests/bug54002.phpt trunk/ext/exif/tests/bug54002_1.jpeg trunk/ext/exif/tests/bug54002_2.jpeg](/search?l=php-cvs@lists.php.net&q=subject:%22%5C%5BPHP%5C-CVS%5C%5D+svn%5C%3A+%5C%2Fphp%5C%2Fphp%5C-src%5C%2F+branches%5C%2FPHP_5_3%5C%2Fext%5C%2Fexif%5C%2Fexif.c+branches%5C%2FPHP_5_3%5C%2Fext%5C%2Fexif%5C%2Ftests%5C%2Fbug54002.phpt+branches%5C%2FPHP_5_3%5C%2Fext%5C%2Fexif%5C%2Ftests%5C%2Fbug54002_1.jpeg+branches%5C%2FPHP_5_3%5C%2Fext%5C%2Fexif%5C%2Ftests%5C%2Fbug54002_2.jpeg+trunk%5C%2Fext%5C%2Fexif%5C%2Fexif.c+trunk%5C%2Fext%5C%2Fexif%5C%2Ftests%5C%2Fbug54002.phpt+trunk%5C%2Fext%5C%2Fexif%5C%2Ftests%5C%2Fbug54002_1.jpeg+trunk%5C%2Fext%5C%2Fexif%5C%2Ftests%5C%2Fbug54002_2.jpeg%22&o=newest){kind=link}
