Commit:    e59b6dc0ae803d49c3f620818285f98dfb61fd57
Author:    Felipe Pena <felipe...@gmail.com>         Sun, 3 Jun 2012 15:23:07 
-0300
Parents:   167e2fd78224887144496cdec2089cd5b2f3312d
Branches:  PHP-5.3 PHP-5.4 master

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=e59b6dc0ae803d49c3f620818285f98dfb61fd57

Log:
- Fixed information leak in ext exif (discovered by Martin Noga, Matthew 
"j00ru" Jurczyk, Gynvael Coldwind)

Changed paths:
  M  ext/exif/exif.c


Diff:
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 9468c23..604010b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3278,7 +3278,7 @@ static void exif_process_APP12(image_info_type 
*ImageInfo, char *buffer, size_t
        if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
                exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, 
TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
                if (length > 2+l1+1) {
-                       l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1);
+                       l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
                        exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", 
TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
                }
        }
@@ -3428,6 +3428,10 @@ static int exif_scan_JPEG_header(image_info_type 
*ImageInfo TSRMLS_DC)
                        case M_SOF13:
                        case M_SOF14:
                        case M_SOF15:
+                               if ((itemlen - 2) < 6) {
+                                       return FALSE;
+                               }
+               
                                exif_process_SOFn(Data, marker, &sof_info);
                                ImageInfo->Width  = sof_info.width;
                                ImageInfo->Height = sof_info.height;


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to