Skip to content

Instantly share code, notes, and snippets.

@smalyshev smalyshev/77540.diff Secret
Created Mar 2, 2019

Embed
What would you like to do?
commit b079e1b50d8d0316f600477c5da55c81bb08b55f
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Mar 2 13:38:00 2019 -0800
Fix bug #77540 - Invalid Read on exif_process_SOFn
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index b4563927a5..ea88a8f115 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3509,7 +3509,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
return FALSE;
marker = c;
length = php_jpg_get16(data+pos);
- if (pos+length>=ImageInfo->Thumbnail.size) {
+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
return FALSE;
}
#ifdef EXIF_DEBUG
@@ -3530,6 +3530,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
case M_SOF14:
case M_SOF15:
/* handle SOFn block */
+ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) {
+ /* exif_process_SOFn needs 8 bytes */
+ return FALSE;
+ }
exif_process_SOFn(data+pos, marker, &sof_info);
ImageInfo->Thumbnail.height = sof_info.height;
ImageInfo->Thumbnail.width = sof_info.width;
@@ -4177,7 +4181,9 @@ PHP_FUNCTION(exif_thumbnail)
ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
if (arg_c >= 3) {
if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
- exif_scan_thumbnail(&ImageInfo);
+ if (!exif_scan_thumbnail(&ImageInfo)) {
+ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0;
+ }
}
zval_dtor(p_width);
zval_dtor(p_height);
diff --git a/ext/exif/tests/bug77540.jpg b/ext/exif/tests/bug77540.jpg
new file mode 100644
index 0000000000..559022db0e
Binary files /dev/null and b/ext/exif/tests/bug77540.jpg differ
diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt
new file mode 100644
index 0000000000..a284e1f263
--- /dev/null
+++ b/ext/exif/tests/bug77540.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77540 (Invalid Read on exif_process_SOFn)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$width = $height = 42;
+$s = exif_thumbnail(__DIR__."/bug77540.jpg", $width, $height);
+echo "Width ".$width."\n";
+echo "Height ".$height."\n";
+?>
+DONE
+--EXPECTF--
+Width 0
+Height 0
+DONE
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.