stas Sat, 19 Nov 2011 04:49:36 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=319535
Log: fix bug #60150 for 5.3 too Bug: https://bugs.php.net/60150 (Closed) Integer overflow during the parsing of invalid exif header Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/exif/exif.c A php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.jpg A php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.phpt Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-11-19 04:41:03 UTC (rev 319534) +++ php/php-src/branches/PHP_5_3/NEWS 2011-11-19 04:49:36 UTC (rev 319535) @@ -16,6 +16,10 @@ . Enhance error log when the primary script can't be open. FR #60199. (fat) . Added .phar to default authorized extensions. (fat) +- EXIF: + . Fixed bu #60150 (Integer overflow during the parsing of invalid exif + header). (Stas, flolechaud at gmail dot com) + - Intl: . Fixed bug #60192 (SegFault when Collator not constructed properly). (Florian) Modified: php/php-src/branches/PHP_5_3/ext/exif/exif.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/exif/exif.c 2011-11-19 04:41:03 UTC (rev 319534) +++ php/php-src/branches/PHP_5_3/ext/exif/exif.c 2011-11-19 04:49:36 UTC (rev 319535) @@ -2874,11 +2874,11 @@ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ Added: php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.jpg =================================================================== (Binary files differ) Property changes on: php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.jpg ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.phpt 2011-11-19 04:49:36 UTC (rev 319535) @@ -0,0 +1,21 @@ +--TEST-- +Bug #60150 (Integer overflow during the parsing of invalid exif header) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--INI-- +output_handler= +zlib.output_compression=0 +--FILE-- +<?php +$infile = dirname(__FILE__).'/bug60150.jpg'; +var_dump(exif_read_data($infile)); +?> +===DONE=== +--EXPECTF-- +Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal pointer offset(x%x + x%x = x%x > x%x) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) != itemlen-%d=x%x(=%d) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d +bool(false) +===DONE=== Property changes on: php/php-src/branches/PHP_5_3/ext/exif/tests/bug60150.phpt ___________________________________________________________________ Added: svn:executable + *
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php