Skip to content

Instantly share code, notes, and snippets.

@nikic
Created Dec 13, 2019
Embed
What would you like to do?
commit a884097c34e29566264445ead4282955e7f87861
Author: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri Dec 13 15:32:24 2019 +0100
Fix bug #78793
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index f961f44a46..fcd6cdf11e 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3239,8 +3239,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
}
for (de=0;de<NumDirEntries;de++) {
- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
+ size_t offset = 2 + 12 * de;
+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
+ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
return FALSE;
}
}
diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
new file mode 100644
index 0000000000..033f255ace
--- /dev/null
+++ b/ext/exif/tests/bug78793.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
+--FILE--
+<?php
+$f = "ext/exif/tests/bug77950.tiff";
+for ($i = 0; $i < 10; $i++) {
+ @exif_read_data($f);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment