-
-
Save smalyshev/a3519b7fdd5f6efeeea4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit f379142d66885cae8b13db884ff76fe398421884 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Tue Jan 26 17:26:52 2016 -0800 | |
Fix bug #71459 - Integer overflow in iptcembed() | |
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c | |
index a354706..b10d844 100644 | |
--- a/ext/standard/iptc.c | |
+++ b/ext/standard/iptc.c | |
@@ -196,6 +196,11 @@ PHP_FUNCTION(iptcembed) | |
RETURN_FALSE; | |
} | |
+ if (iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) { | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large"); | |
+ RETURN_FALSE; | |
+ } | |
+ | |
if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) { | |
php_error_docref(NULL, E_WARNING, "Unable to open %s", jpeg_file); | |
RETURN_FALSE; | |
@@ -204,7 +209,7 @@ PHP_FUNCTION(iptcembed) | |
if (spool < 2) { | |
zend_fstat(fileno(fp), &sb); | |
- spoolbuf = zend_string_alloc(iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 0); | |
+ spoolbuf = zend_string_safe_alloc(1, iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size, 0); | |
poi = (unsigned char*)ZSTR_VAL(spoolbuf); | |
memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment