-
-
Save smalyshev/37b30041c1ca47225dd0993d1683097f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 25aa5f434dfb3337a6617b46224f1b505053d8e9 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Fri Mar 1 23:25:45 2019 -0800 | |
Fix integer overflows on 32-bits | |
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index cbde3effed..b4563927a5 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -3567,10 +3567,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse | |
tag_table_type tag_table = exif_get_tag_table(section_index); | |
if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { | |
- return FALSE; | |
- } | |
+ return FALSE; | |
+ } | |
- if (ImageInfo->FileSize >= dir_offset+2) { | |
+ if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) { | |
sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); | |
#ifdef EXIF_DEBUG | |
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2); | |
@@ -3578,8 +3578,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse | |
php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */ | |
php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2); | |
num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel); | |
- dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; | |
- if (ImageInfo->FileSize >= dir_offset+dir_size) { | |
+ dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; | |
+ if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) { | |
#ifdef EXIF_DEBUG | |
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries); | |
#endif | |
@@ -3662,9 +3662,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse | |
} | |
} | |
} | |
- if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) { | |
+ if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) { | |
if (ifd_size > dir_size) { | |
- if (dir_offset + ifd_size > ImageInfo->FileSize) { | |
+ if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) { | |
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size); | |
return FALSE; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment