diff options
author | Stanislav Malyshev <stas@php.net> | 2016-01-26 17:26:52 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-01-26 17:26:52 -0800 |
commit | 54c210d2ea9b8539edcde1888b1104b96b38e886 (patch) | |
tree | 07b6c0ac0324f510e98fb9dce816a293b403839f | |
parent | 6297a117d77fa3a0df2e21ca926a92c231819cd5 (diff) | |
download | php-git-54c210d2ea9b8539edcde1888b1104b96b38e886.tar.gz |
Fix bug #71459 - Integer overflow in iptcembed()
-rw-r--r-- | ext/standard/iptc.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 05d778b41b..6f8aa5dc3e 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -195,6 +195,11 @@ PHP_FUNCTION(iptcembed) RETURN_FALSE; } + if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large"); + RETURN_FALSE; + } + if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file); RETURN_FALSE; @@ -203,7 +208,7 @@ PHP_FUNCTION(iptcembed) if (spool < 2) { fstat(fileno(fp), &sb); - poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1); + poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size); memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1); } |