smalyshev/77563.diff Secret

## 77563.diff
commit 6c4d81b524cf664748dd89579aa9157a5955f8b0
Author: Stanislav Malyshev <stas@php.net>
Date:   Sat Mar 2 15:07:40 2019 -0800

    Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE

    Also fix for bug #77659

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index cbde3effed..b90f62f09d 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2741,7 +2741,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 		break;
 	}

-	if (maker_note->offset >= value_len) {
+	if (value_len < 2 || maker_note->offset >= value_len - 1) {
 		/* Do not go past the value end */
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
 		return FALSE;
@@ -2794,6 +2794,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 			break;
 		default:
 		case MN_OFFSET_NORMAL:
+			data_len = value_len;
 			break;
 	}

diff --git a/ext/exif/tests/bug77563.jpg b/ext/exif/tests/bug77563.jpg
new file mode 100644
index 0000000000..d6280151f0
Binary files /dev/null and b/ext/exif/tests/bug77563.jpg differ
diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt
new file mode 100644
index 0000000000..c14588664b
--- /dev/null
+++ b/ext/exif/tests/bug77563.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$s = exif_thumbnail(__DIR__."/bug77563.jpg");
+?>
+DONE
+--EXPECTF--
+Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d
+
+Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d
+
+Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d
+DONE
\ No newline at end of file
	commit 6c4d81b524cf664748dd89579aa9157a5955f8b0
	Author: Stanislav Malyshev <stas@php.net>
	Date: Sat Mar 2 15:07:40 2019 -0800

	Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE

	Also fix for bug #77659

	diff --git a/ext/exif/exif.c b/ext/exif/exif.c
	index cbde3effed..b90f62f09d 100644
	--- a/ext/exif/exif.c
	+++ b/ext/exif/exif.c
	@@ -2741,7 +2741,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type ImageInfo, char valu
	break;
	}

	- if (maker_note->offset >= value_len) {
	+ if (value_len < 2 \|\| maker_note->offset >= value_len - 1) {
	/* Do not go past the value end */
	exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
	return FALSE;
	@@ -2794,6 +2794,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type ImageInfo, char valu
	break;
	default:
	case MN_OFFSET_NORMAL:
	+ data_len = value_len;
	break;
	}

	diff --git a/ext/exif/tests/bug77563.jpg b/ext/exif/tests/bug77563.jpg
	new file mode 100644
	index 0000000000..d6280151f0
	Binary files /dev/null and b/ext/exif/tests/bug77563.jpg differ
	diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt
	new file mode 100644
	index 0000000000..c14588664b
	--- /dev/null
	+++ b/ext/exif/tests/bug77563.phpt
	@@ -0,0 +1,16 @@
	+--TEST--
	+Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE)
	+--SKIPIF--
	+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
	+--FILE--
	+<?php
	+$s = exif_thumbnail(__DIR__."/bug77563.jpg");
	+?>
	+DONE
	+--EXPECTF--
	+Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d
	+
	+Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d
	+
	+Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d
	+DONE
	\ No newline at end of file