Skip to content

Instantly share code, notes, and snippets.

@smalyshev

smalyshev/71459.diff Secret

Created January 27, 2016 01:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save smalyshev/a3519b7fdd5f6efeeea4 to your computer and use it in GitHub Desktop.
Save smalyshev/a3519b7fdd5f6efeeea4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
71459.diff
commit f379142d66885cae8b13db884ff76fe398421884
Author: Stanislav Malyshev <stas@php.net>
Date: Tue Jan 26 17:26:52 2016 -0800
Fix bug #71459 - Integer overflow in iptcembed()
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index a354706..b10d844 100644
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -196,6 +196,11 @@ PHP_FUNCTION(iptcembed)
RETURN_FALSE;
}
+ if (iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large");
+ RETURN_FALSE;
+ }
+
if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) {
php_error_docref(NULL, E_WARNING, "Unable to open %s", jpeg_file);
RETURN_FALSE;
@@ -204,7 +209,7 @@ PHP_FUNCTION(iptcembed)
if (spool < 2) {
zend_fstat(fileno(fp), &sb);
- spoolbuf = zend_string_alloc(iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 0);
+ spoolbuf = zend_string_safe_alloc(1, iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size, 0);
poi = (unsigned char*)ZSTR_VAL(spoolbuf);
memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment