Skip to content

Instantly share code, notes, and snippets.

@smalyshev

smalyshev/77540.diff Secret

Created Mar 2, 2019
Embed
What would you like to do?
commit b079e1b50d8d0316f600477c5da55c81bb08b55f
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Mar 2 13:38:00 2019 -0800
Fix bug #77540 - Invalid Read on exif_process_SOFn
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index b4563927a5..ea88a8f115 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3509,7 +3509,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
return FALSE;
marker = c;
length = php_jpg_get16(data+pos);
- if (pos+length>=ImageInfo->Thumbnail.size) {
+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
return FALSE;
}
#ifdef EXIF_DEBUG
@@ -3530,6 +3530,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
case M_SOF14:
case M_SOF15:
/* handle SOFn block */
+ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) {
+ /* exif_process_SOFn needs 8 bytes */
+ return FALSE;
+ }
exif_process_SOFn(data+pos, marker, &sof_info);
ImageInfo->Thumbnail.height = sof_info.height;
ImageInfo->Thumbnail.width = sof_info.width;
@@ -4177,7 +4181,9 @@ PHP_FUNCTION(exif_thumbnail)
ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
if (arg_c >= 3) {
if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
- exif_scan_thumbnail(&ImageInfo);
+ if (!exif_scan_thumbnail(&ImageInfo)) {
+ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0;
+ }
}
zval_dtor(p_width);
zval_dtor(p_height);
diff --git a/ext/exif/tests/bug77540.jpg b/ext/exif/tests/bug77540.jpg
new file mode 100644
index 0000000000..559022db0e
Binary files /dev/null and b/ext/exif/tests/bug77540.jpg differ
diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt
new file mode 100644
index 0000000000..a284e1f263
--- /dev/null
+++ b/ext/exif/tests/bug77540.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77540 (Invalid Read on exif_process_SOFn)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$width = $height = 42;
+$s = exif_thumbnail(__DIR__."/bug77540.jpg", $width, $height);
+echo "Width ".$width."\n";
+echo "Height ".$height."\n";
+?>
+DONE
+--EXPECTF--
+Width 0
+Height 0
+DONE
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment