-
-
Save smalyshev/4fb847b0da0a387f651aa393f1d22a96 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit b079e1b50d8d0316f600477c5da55c81bb08b55f | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Mar 2 13:38:00 2019 -0800 | |
Fix bug #77540 - Invalid Read on exif_process_SOFn | |
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index b4563927a5..ea88a8f115 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -3509,7 +3509,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) | |
return FALSE; | |
marker = c; | |
length = php_jpg_get16(data+pos); | |
- if (pos+length>=ImageInfo->Thumbnail.size) { | |
+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { | |
return FALSE; | |
} | |
#ifdef EXIF_DEBUG | |
@@ -3530,6 +3530,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) | |
case M_SOF14: | |
case M_SOF15: | |
/* handle SOFn block */ | |
+ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) { | |
+ /* exif_process_SOFn needs 8 bytes */ | |
+ return FALSE; | |
+ } | |
exif_process_SOFn(data+pos, marker, &sof_info); | |
ImageInfo->Thumbnail.height = sof_info.height; | |
ImageInfo->Thumbnail.width = sof_info.width; | |
@@ -4177,7 +4181,9 @@ PHP_FUNCTION(exif_thumbnail) | |
ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); | |
if (arg_c >= 3) { | |
if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { | |
- exif_scan_thumbnail(&ImageInfo); | |
+ if (!exif_scan_thumbnail(&ImageInfo)) { | |
+ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0; | |
+ } | |
} | |
zval_dtor(p_width); | |
zval_dtor(p_height); | |
diff --git a/ext/exif/tests/bug77540.jpg b/ext/exif/tests/bug77540.jpg | |
new file mode 100644 | |
index 0000000000..559022db0e | |
Binary files /dev/null and b/ext/exif/tests/bug77540.jpg differ | |
diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt | |
new file mode 100644 | |
index 0000000000..a284e1f263 | |
--- /dev/null | |
+++ b/ext/exif/tests/bug77540.phpt | |
@@ -0,0 +1,16 @@ | |
+--TEST-- | |
+Bug 77540 (Invalid Read on exif_process_SOFn) | |
+--SKIPIF-- | |
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> | |
+--FILE-- | |
+<?php | |
+$width = $height = 42; | |
+$s = exif_thumbnail(__DIR__."/bug77540.jpg", $width, $height); | |
+echo "Width ".$width."\n"; | |
+echo "Height ".$height."\n"; | |
+?> | |
+DONE | |
+--EXPECTF-- | |
+Width 0 | |
+Height 0 | |
+DONE | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment