stas Sat, 19 Nov 2011 04:41:03 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=319534
Log: Fix bug #60150 (Integer overflow during the parsing of invalid exif header) Bug: https://bugs.php.net/60150 (Closed) Integer overflow during the parsing of invalid exif header Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/ext/exif/exif.c A php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.jpg A php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt U php/php-src/trunk/ext/exif/exif.c A php/php-src/trunk/ext/exif/tests/bug60150.jpg A php/php-src/trunk/ext/exif/tests/bug60150.phpt Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2011-11-19 03:57:48 UTC (rev 319533) +++ php/php-src/branches/PHP_5_4/NEWS 2011-11-19 04:41:03 UTC (rev 319534) @@ -13,6 +13,10 @@ . Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153). (Stas) +- EXIF: + . Fixed bu #60150 (Integer overflow during the parsing of invalid exif + header). (Stas, flolechaud at gmail dot com) + - MS SQL: . Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe) Modified: php/php-src/branches/PHP_5_4/ext/exif/exif.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/exif/exif.c 2011-11-19 03:57:48 UTC (rev 319533) +++ php/php-src/branches/PHP_5_4/ext/exif/exif.c 2011-11-19 04:41:03 UTC (rev 319534) @@ -2850,11 +2850,11 @@ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ Added: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.jpg =================================================================== (Binary files differ) Property changes on: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.jpg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt =================================================================== --- php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt 2011-11-19 04:41:03 UTC (rev 319534) @@ -0,0 +1,21 @@ +--TEST-- +Bug #34704 (Integer overflow during the parsing of invalid exif header) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--INI-- +output_handler= +zlib.output_compression=0 +--FILE-- +<?php +$infile = dirname(__FILE__).'/bug60150.jpg'; +var_dump(exif_read_data($infile)); +?> +===DONE=== +--EXPECTF-- +Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal pointer offset(x%x + x%x = x%x > x%x) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) != itemlen-%d=x%x(=%d) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d +bool(false) +===DONE=== Property changes on: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt ___________________________________________________________________ Added: svn:executable + * Modified: php/php-src/trunk/ext/exif/exif.c =================================================================== --- php/php-src/trunk/ext/exif/exif.c 2011-11-19 03:57:48 UTC (rev 319533) +++ php/php-src/trunk/ext/exif/exif.c 2011-11-19 04:41:03 UTC (rev 319534) @@ -2850,11 +2850,11 @@ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ Added: php/php-src/trunk/ext/exif/tests/bug60150.jpg =================================================================== (Binary files differ) Property changes on: php/php-src/trunk/ext/exif/tests/bug60150.jpg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: php/php-src/trunk/ext/exif/tests/bug60150.phpt =================================================================== --- php/php-src/trunk/ext/exif/tests/bug60150.phpt (rev 0) +++ php/php-src/trunk/ext/exif/tests/bug60150.phpt 2011-11-19 04:41:03 UTC (rev 319534) @@ -0,0 +1,21 @@ +--TEST-- +Bug #34704 (Integer overflow during the parsing of invalid exif header) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--INI-- +output_handler= +zlib.output_compression=0 +--FILE-- +<?php +$infile = dirname(__FILE__).'/bug60150.jpg'; +var_dump(exif_read_data($infile)); +?> +===DONE=== +--EXPECTF-- +Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal pointer offset(x%x + x%x = x%x > x%x) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) != itemlen-%d=x%x(=%d) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d +bool(false) +===DONE=== Property changes on: php/php-src/trunk/ext/exif/tests/bug60150.phpt ___________________________________________________________________ Added: svn:executable + *
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php