-
-
Save smalyshev/71d279b55ceea7c52fdf3dc6662d03d0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit d4553c8c76664a87b193799d3bbce7cadf67f855 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Tue Jun 19 16:26:36 2018 -0700 | |
Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c | |
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index e535278fc9..1147980f77 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -2545,7 +2545,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz | |
return; | |
} | |
/* Check to make sure we are not going to go past the ExifLength */ | |
- if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) { | |
+ if (ImageInfo->Thumbnail.size > length | |
+ || (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length | |
+ || ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size | |
+ ) { | |
EXIF_ERRLOG_THUMBEOF(ImageInfo) | |
return; | |
} | |
diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg | |
new file mode 100644 | |
index 0000000000..08fe2bbc57 | |
Binary files /dev/null and b/ext/exif/tests/bug76423.jpg differ | |
diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt | |
new file mode 100644 | |
index 0000000000..4c8cd45dc9 | |
--- /dev/null | |
+++ b/ext/exif/tests/bug76423.phpt | |
@@ -0,0 +1,19 @@ | |
+--TEST-- | |
+Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('exif')) die('skip exif extension not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true); | |
+?> | |
+===DONE=== | |
+--EXPECTF-- | |
+ | |
+Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d | |
+ | |
+Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d | |
+ | |
+Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d | |
+===DONE=== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Xong