Fix bug #65873 - Integer overflow in exif_read_data()

2 files changed, 9 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 91b2182f3c..d3bd822885 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,9 @@ PHP                                                                        NEWS
   . Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() 
     Produces invalid Markup). (Mike)
 
+- Exif:
+  . Fixed bug #65873 (Integer overflow in exif_read_data()). (Stas)
+
 - Filter:
   . Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam)
 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 2fe54f7b31..c531d8dfa8 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2852,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
 		value_ptr = offset_base+offset_val;
-		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+        /* 
+            dir_entry is ImageInfo->file.list[sn].data+2+i*12
+            offset_base is ImageInfo->file.list[sn].data-dir_offset 
+            dir_entry - offset_base is dir_offset+2+i*12
+        */
+		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
 			/* It is important to check for IMAGE_FILETYPE_TIFF
 			 * JPEG does not use absolute pointers instead its pointers are
 			 * relative to the start of the TIFF header in APP1 section. */