diff options
author | Stanislav Malyshev <stas@php.net> | 2015-01-20 00:57:55 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-01-20 01:00:11 -0800 |
commit | fc6aa939f59c9be0febe0fa141629e49541bab8c (patch) | |
tree | 006eb9bba66c530be16b1f45f13ae362ef4f231b | |
parent | 0a766104599fcb285bb9542fa28d2f7baa3d8e16 (diff) | |
parent | 2fc178cf448d8e1b95d1314e47eeef610729e0df (diff) | |
download | php-git-fc6aa939f59c9be0febe0fa141629e49541bab8c.tar.gz |
Merge branch 'bug68799' into PHP-5.4
* bug68799:
Fix bug #68799: Free called on unitialized pointer
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | ext/exif/exif.c | 2 | ||||
-rw-r--r-- | ext/exif/tests/bug68799.jpg | bin | 0 -> 735 bytes | |||
-rw-r--r-- | ext/exif/tests/bug68799.phpt | 63 |
4 files changed, 68 insertions, 2 deletions
@@ -2,7 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 20?? PHP 5.4.37 - CGI: - . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas) + . Fixed bug #68618 (out of bounds read crashes php-cgi). (Stas) + +- EXIF: + . Fix bug #68799: Free called on unitialized pointer. (CVE-2015-0232) (Stas) - Fileinfo: . Removed readelf.c and related code from libmagic sources diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 637ebf9289..7f95ff43ea 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - + xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg Binary files differnew file mode 100644 index 0000000000..acc326dbbf --- /dev/null +++ b/ext/exif/tests/bug68799.jpg diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt new file mode 100644 index 0000000000..b09f21ca7b --- /dev/null +++ b/ext/exif/tests/bug68799.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #68799 (Free called on unitialized pointer) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +/* +* Pollute the heap. Helps trigger bug. Sometimes not needed. +*/ +class A { + function __construct() { + $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa'; + $this->a = $a . $a . $a . $a . $a . $a; + } +}; + +function doStuff ($limit) { + + $a = new A; + + $b = array(); + for ($i = 0; $i < $limit; $i++) { + $b[$i] = clone $a; + } + + unset($a); + + gc_collect_cycles(); +} + +$iterations = 3; + +doStuff($iterations); +doStuff($iterations); + +gc_collect_cycles(); + +print_r(exif_read_data(__DIR__.'/bug68799.jpg')); + +?> +--EXPECTF-- +Array +( + [FileName] => bug68799.jpg + [FileDateTime] => %d + [FileSize] => 735 + [FileType] => 2 + [MimeType] => image/jpeg + [SectionsFound] => ANY_TAG, IFD0, WINXP + [COMPUTED] => Array + ( + [html] => width="1" height="1" + [Height] => 1 + [Width] => 1 + [IsColor] => 1 + [ByteOrderMotorola] => 1 + ) + + [XResolution] => 96/1 + [YResolution] => 96/1 + [ResolutionUnit] => 2 + [Author] => +) |