diff options
author | Stanislav Malyshev <stas@php.net> | 2018-04-23 13:42:51 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-04-23 13:42:51 -0700 |
commit | e2dcf3cc546f3de63d20eeab924db2e71603dd86 (patch) | |
tree | f5b8d636eff854758c4067642dac6c4cf4a135d2 | |
parent | cb981e39c29bda59897cfaf30cebbf534c27f47c (diff) | |
parent | b4e4788c4461449b4587e19ef1f474ce938e4980 (diff) | |
download | php-git-e2dcf3cc546f3de63d20eeab924db2e71603dd86.tar.gz |
Merge remote-tracking branch 'security/PHP-5.6' into PHP-5.6
* security/PHP-5.6:
Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
Fix bug #75981: prevent reading beyond buffer start
-rw-r--r-- | ext/exif/exif.c | 2 | ||||
-rw-r--r-- | ext/exif/tests/bug76130.phpt | 20 | ||||
-rw-r--r-- | ext/exif/tests/bug76130_1.jpg | bin | 0 -> 3396 bytes | |||
-rw-r--r-- | ext/exif/tests/bug76130_2.jpg | bin | 0 -> 1632 bytes |
4 files changed, 21 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 1c8772f76b..e535278fc9 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -1710,7 +1710,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c case TAG_FMT_UNDEFINED: if (value) { if (tag == TAG_MAKER_NOTE) { - length = MIN(length, strlen(value)); + length = (int) php_strnlen(value, length); } /* do not recompute length here */ diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt new file mode 100644 index 0000000000..9c826af629 --- /dev/null +++ b/ext/exif/tests/bug76130.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value) +--DESCRIPTION-- +This test is meant to exhibit memory issues with the `-m` option. Since a lot of +notices and warnings are to be expected anyway, we suppress these, since the are +not relevant for this test. +--INI-- +error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE +--SKIPIF-- +<?php +if (!extension_loaded('exif')) die('skip exif extension not available'); +?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug76130_1.jpg'); +exif_read_data(__DIR__ . '/bug76130_2.jpg'); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg Binary files differnew file mode 100644 index 0000000000..e063e46d22 --- /dev/null +++ b/ext/exif/tests/bug76130_1.jpg diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg Binary files differnew file mode 100644 index 0000000000..a9e79dca5c --- /dev/null +++ b/ext/exif/tests/bug76130_2.jpg |