-
-
Save anonymous/452c5cf433f1bdeb66d6b28bae17b7ac to your computer and use it in GitHub Desktop.
Patch for 72094
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 082aecfc3a753ad03be82cf14f03ac065723ec92 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Apr 24 19:33:52 2016 -0700 | |
Fix bug #72094 - Out of bounds heap read access in exif header processing | |
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index ff29fdd..f366acc 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -2965,7 +2965,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha | |
/* When there are any characters after the first NUL */ | |
ImageInfo->CopyrightPhotographer = estrdup(value_ptr); | |
ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); | |
- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); | |
+ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); | |
/* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ | |
/* but we are not supposed to change this */ | |
/* keep in mind that image_info does not store editor value */ | |
@@ -3134,6 +3134,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, | |
ImageInfo->sections_found |= FOUND_IFD0; | |
+ if ((dir_start + 2) >= (offset_base+IFDlength)) { | |
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); | |
+ return FALSE; | |
+ } | |
+ | |
NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); | |
if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { | |
@@ -3157,6 +3162,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, | |
* Hack to make it process IDF1 I hope | |
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail | |
*/ | |
+ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { | |
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); | |
+ return FALSE; | |
+ } | |
NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); | |
if (NextDirOffset) { | |
/* the next line seems false but here IFDlength means length of all IFDs */ | |
@@ -3206,9 +3215,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, | |
} | |
/* Check the next two values for correctness. */ | |
+ if (length < 8) { | |
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); | |
+ return; | |
+ } | |
exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); | |
offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); | |
- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { | |
+ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { | |
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); | |
return; | |
} | |
diff --git a/ext/exif/tests/bug72094.phpt b/ext/exif/tests/bug72094.phpt | |
new file mode 100644 | |
index 0000000..17674d0 | |
--- /dev/null | |
+++ b/ext/exif/tests/bug72094.phpt | |
@@ -0,0 +1,61 @@ | |
+--TEST-- | |
+Bug #72094: Out of bounds heap read access in exif header processing | |
+--SKIPIF-- | |
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> | |
+--FILE-- | |
+<?php | |
+print_r(exif_read_data(__DIR__ . '/bug72094_1.jpg')); | |
+print_r(exif_read_data(__DIR__ . '/bug72094_2.jpg')); | |
+print_r(exif_read_data(__DIR__ . '/bug72094_3.jpg')); | |
+print_r(exif_read_data(__DIR__ . '/bug72094_4.jpg')); | |
+?> | |
+DONE | |
+--EXPECTF-- | |
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright ): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_1.jpg): Invalid JPEG file in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_2.jpg): Illegal IFD size in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_2.jpg): File structure corrupted in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_2.jpg): Invalid JPEG file in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_3.jpg): Invalid JPEG file in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_4.jpg): Invalid TIFF start (1) in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_4.jpg): File structure corrupted in %s/bug72094.php on line %d | |
+ | |
+Warning: exif_read_data(bug72094_4.jpg): Invalid JPEG file in %s/bug72094.php on line %d | |
+DONE | |
\ No newline at end of file | |
diff --git a/ext/exif/tests/bug72094_1.jpg b/ext/exif/tests/bug72094_1.jpg | |
new file mode 100644 | |
index 0000000..d21382b | |
Binary files /dev/null and b/ext/exif/tests/bug72094_1.jpg differ | |
diff --git a/ext/exif/tests/bug72094_2.jpg b/ext/exif/tests/bug72094_2.jpg | |
new file mode 100644 | |
index 0000000..ec414ce | |
Binary files /dev/null and b/ext/exif/tests/bug72094_2.jpg differ | |
diff --git a/ext/exif/tests/bug72094_3.jpg b/ext/exif/tests/bug72094_3.jpg | |
new file mode 100644 | |
index 0000000..8b05314 | |
Binary files /dev/null and b/ext/exif/tests/bug72094_3.jpg differ | |
diff --git a/ext/exif/tests/bug72094_4.jpg b/ext/exif/tests/bug72094_4.jpg | |
new file mode 100644 | |
index 0000000..ca6d453 | |
Binary files /dev/null and b/ext/exif/tests/bug72094_4.jpg differ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment