stas                                     Sat, 19 Nov 2011 04:41:03 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=319534

Log:
Fix bug #60150 (Integer overflow during the parsing of invalid exif header)

Bug: https://bugs.php.net/60150 (Closed) Integer overflow during the parsing of 
invalid exif header
      
Changed paths:
    U   php/php-src/branches/PHP_5_4/NEWS
    U   php/php-src/branches/PHP_5_4/ext/exif/exif.c
    A   php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.jpg
    A   php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt
    U   php/php-src/trunk/ext/exif/exif.c
    A   php/php-src/trunk/ext/exif/tests/bug60150.jpg
    A   php/php-src/trunk/ext/exif/tests/bug60150.phpt

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS   2011-11-19 03:57:48 UTC (rev 319533)
+++ php/php-src/branches/PHP_5_4/NEWS   2011-11-19 04:41:03 UTC (rev 319534)
@@ -13,6 +13,10 @@
   . Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup())
     (CVE-2011-4153). (Stas)

+- EXIF:
+  . Fixed bu #60150 (Integer overflow during the parsing of invalid exif
+    header). (Stas, flolechaud at gmail dot com)
+
 - MS SQL:
   . Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)


Modified: php/php-src/branches/PHP_5_4/ext/exif/exif.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/exif/exif.c        2011-11-19 03:57:48 UTC 
(rev 319533)
+++ php/php-src/branches/PHP_5_4/ext/exif/exif.c        2011-11-19 04:41:03 UTC 
(rev 319534)
@@ -2850,11 +2850,11 @@
                offset_val = php_ifd_get32u(dir_entry+8, 
ImageInfo->motorola_intel);
                /* If its bigger than 4 bytes, the dir entry contains an 
offset. */
                value_ptr = offset_base+offset_val;
-               if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) 
{
+               if (byte_count > IFDlength || offset_val > IFDlength-byte_count 
|| value_ptr < dir_entry) {
                        /* It is important to check for IMAGE_FILETYPE_TIFF
                         * JPEG does not use absolute pointers instead its 
pointers are
                         * relative to the start of the TIFF header in APP1 
section. */
-                       if (offset_val+byte_count>ImageInfo->FileSize || 
(ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && 
ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && 
ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
+                       if (byte_count > ImageInfo->FileSize || 
offset_val>ImageInfo->FileSize-byte_count || 
(ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && 
ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && 
ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
                                if (value_ptr < dir_entry) {
                                        /* we can read this if offset_val > 0 */
                                        /* some files have their values in 
other parts of the file */

Added: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.jpg
===================================================================
(Binary files differ)


Property changes on: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.jpg
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Added: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt
===================================================================
--- php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt                   
        (rev 0)
+++ php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt   2011-11-19 
04:41:03 UTC (rev 319534)
@@ -0,0 +1,21 @@
+--TEST--
+Bug #34704 (Integer overflow during the parsing of invalid exif header)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not 
available';?>
+--INI--
+output_handler=
+zlib.output_compression=0
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/bug60150.jpg';
+var_dump(exif_read_data($infile));
+?>
+===DONE===
+--EXPECTF--
+Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal 
pointer offset(x%x + x%x = x%x > x%x) in %s on line %d
+
+Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) 
!= itemlen-%d=x%x(=%d) in %s on line %d
+
+Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d
+bool(false)
+===DONE===


Property changes on: php/php-src/branches/PHP_5_4/ext/exif/tests/bug60150.phpt
___________________________________________________________________
Added: svn:executable
   + *

Modified: php/php-src/trunk/ext/exif/exif.c
===================================================================
--- php/php-src/trunk/ext/exif/exif.c   2011-11-19 03:57:48 UTC (rev 319533)
+++ php/php-src/trunk/ext/exif/exif.c   2011-11-19 04:41:03 UTC (rev 319534)
@@ -2850,11 +2850,11 @@
                offset_val = php_ifd_get32u(dir_entry+8, 
ImageInfo->motorola_intel);
                /* If its bigger than 4 bytes, the dir entry contains an 
offset. */
                value_ptr = offset_base+offset_val;
-               if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) 
{
+               if (byte_count > IFDlength || offset_val > IFDlength-byte_count 
|| value_ptr < dir_entry) {
                        /* It is important to check for IMAGE_FILETYPE_TIFF
                         * JPEG does not use absolute pointers instead its 
pointers are
                         * relative to the start of the TIFF header in APP1 
section. */
-                       if (offset_val+byte_count>ImageInfo->FileSize || 
(ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && 
ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && 
ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
+                       if (byte_count > ImageInfo->FileSize || 
offset_val>ImageInfo->FileSize-byte_count || 
(ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && 
ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && 
ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
                                if (value_ptr < dir_entry) {
                                        /* we can read this if offset_val > 0 */
                                        /* some files have their values in 
other parts of the file */

Added: php/php-src/trunk/ext/exif/tests/bug60150.jpg
===================================================================
(Binary files differ)


Property changes on: php/php-src/trunk/ext/exif/tests/bug60150.jpg
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Added: php/php-src/trunk/ext/exif/tests/bug60150.phpt
===================================================================
--- php/php-src/trunk/ext/exif/tests/bug60150.phpt                              
(rev 0)
+++ php/php-src/trunk/ext/exif/tests/bug60150.phpt      2011-11-19 04:41:03 UTC 
(rev 319534)
@@ -0,0 +1,21 @@
+--TEST--
+Bug #34704 (Integer overflow during the parsing of invalid exif header)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not 
available';?>
+--INI--
+output_handler=
+zlib.output_compression=0
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/bug60150.jpg';
+var_dump(exif_read_data($infile));
+?>
+===DONE===
+--EXPECTF--
+Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal 
pointer offset(x%x + x%x = x%x > x%x) in %s on line %d
+
+Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) 
!= itemlen-%d=x%x(=%d) in %s on line %d
+
+Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d
+bool(false)
+===DONE===


Property changes on: php/php-src/trunk/ext/exif/tests/bug60150.phpt
___________________________________________________________________
Added: svn:executable
   + *

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to