76423.diff

commit d4553c8c76664a87b193799d3bbce7cadf67f855
Author: Stanislav Malyshev <stas@php.net>
Date:   Tue Jun 19 16:26:36 2018 -0700

    Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index e535278fc9..1147980f77 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2545,7 +2545,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz
 		return;
 	}
 	/* Check to make sure we are not going to go past the ExifLength */
-	if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {
+	if (ImageInfo->Thumbnail.size > length
+		|| (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length
+		|| ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size
+	) {
 		EXIF_ERRLOG_THUMBEOF(ImageInfo)
 		return;
 	}
diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg
new file mode 100644
index 0000000000..08fe2bbc57
Binary files /dev/null and b/ext/exif/tests/bug76423.jpg differ
diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt
new file mode 100644
index 0000000000..4c8cd45dc9
--- /dev/null
+++ b/ext/exif/tests/bug76423.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true);
+?>
+===DONE===
+--EXPECTF--
+
+Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d
+
+Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d
+
+Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d
+===DONE===

Xong