-
-
Save smalyshev/9e3197a51b489ab0ecb2438da6f4d59f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 53cb7bf758cb1137239b069c5642ac00736bf787 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Jul 1 22:20:19 2018 -0700 | |
Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data | |
Use MAKERNOTE length as data size. | |
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index e535278fc9..0101f0b1ea 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -2725,6 +2725,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu | |
int NumDirEntries, old_motorola_intel, offset_diff; | |
const maker_note_type *maker_note; | |
char *dir_start; | |
+ int data_len; | |
for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) { | |
if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) { | |
@@ -2779,6 +2780,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu | |
switch (maker_note->offset_mode) { | |
case MN_OFFSET_MAKER: | |
offset_base = value_ptr; | |
+ data_len = value_len; | |
break; | |
case MN_OFFSET_GUESS: | |
if (maker_note->offset + 10 + 4 >= value_len) { | |
@@ -2795,6 +2797,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu | |
return FALSE; | |
} | |
offset_base = value_ptr + offset_diff; | |
+ data_len = value_len - offset_diff; | |
break; | |
default: | |
case MN_OFFSET_NORMAL: | |
@@ -2808,7 +2811,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu | |
for (de=0;de<NumDirEntries;de++) { | |
if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, | |
- offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) { | |
+ offset_base, data_len, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) { | |
return FALSE; | |
} | |
} | |
diff --git a/ext/exif/tests/bug76557.jpg b/ext/exif/tests/bug76557.jpg | |
new file mode 100644 | |
index 0000000000..d678f07c0f | |
Binary files /dev/null and b/ext/exif/tests/bug76557.jpg differ | |
diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt | |
new file mode 100644 | |
index 0000000000..4553b62772 | |
--- /dev/null | |
+++ b/ext/exif/tests/bug76557.phpt | |
@@ -0,0 +1,79 @@ | |
+--TEST-- | |
+Bug 76557 (heap-buffer-overflow (READ of size 48) while reading exif data) | |
+--SKIPIF-- | |
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> | |
+--FILE-- | |
+<?php | |
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug76557.jpg"))); | |
+?> | |
+DONE | |
+--EXPECTF-- | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d | |
+ | |
+Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d | |
+int(1) | |
+DONE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment