Skip to content

Instantly share code, notes, and snippets.

/72603.diff Secret
Created Jul 17, 2016

Embed
What would you like to do?
Patch for 72603
commit eebcbd5de38a0f1c2876035402cb770e37476519
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Jul 17 16:34:21 2016 -0700
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index f366acc..760e746 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2742,6 +2742,12 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
break;
}
+ if (maker_note->offset >= value_len) {
+ /* Do not go past the value end */
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
+ return FALSE;
+ }
+
dir_start = value_ptr + maker_note->offset;
#ifdef EXIF_DEBUG
@@ -2770,10 +2776,19 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
offset_base = value_ptr;
break;
case MN_OFFSET_GUESS:
+ if (maker_note->offset + 10 + 4 >= value_len) {
+ /* Can not read dir_start+10 since it's beyond value end */
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X", value_len);
+ return FALSE;
+ }
offset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);
#ifdef EXIF_DEBUG
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Using automatic offset correction: 0x%04X", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);
#endif
+ if (offset_diff < 0 || offset_diff >= value_len ) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data bad offset: 0x%04X length 0x%04X", offset_diff, value_len);
+ return FALSE;
+ }
offset_base = value_ptr + offset_diff;
break;
default:
@@ -2782,7 +2797,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
}
if ((2+NumDirEntries*12) > value_len) {
- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
return FALSE;
}
@@ -3068,7 +3083,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
break;
case TAG_MAKER_NOTE:
- exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC);
+ if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC)) {
+ EFREE_IF(outside);
+ return FALSE;
+ }
break;
case TAG_EXIF_IFD_POINTER:
diff --git a/ext/exif/tests/bug72603.jpeg b/ext/exif/tests/bug72603.jpeg
new file mode 100644
index 0000000..1764c80
Binary files /dev/null and b/ext/exif/tests/bug72603.jpeg differ
diff --git a/ext/exif/tests/bug72603.phpt b/ext/exif/tests/bug72603.phpt
new file mode 100644
index 0000000..a4295f9
--- /dev/null
+++ b/ext/exif/tests/bug72603.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72603.jpeg")));
+?>
+--EXPECTF--
+Warning: exif_read_data(bug72603.jpeg): IFD data bad offset: 0x058C length 0x001C in %s/bug72603.php on line %d
+int(13)
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.