diff options
author | Stanislav Malyshev <stas@php.net> | 2018-07-01 22:20:19 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-07-16 14:17:51 -0700 |
commit | 3462efa386f26d343062094514af604c29e3edce (patch) | |
tree | d2a737be8a34612a8934d4b2bdecd8e8419443fd | |
parent | 1baeae42703f9b2ec21fff787146eeca08d45535 (diff) | |
download | php-git-3462efa386f26d343062094514af604c29e3edce.tar.gz |
Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data
Use MAKERNOTE length as data size.
-rw-r--r-- | ext/exif/exif.c | 5 | ||||
-rw-r--r-- | ext/exif/tests/bug76557.jpg | bin | 0 -> 2372 bytes | |||
-rw-r--r-- | ext/exif/tests/bug76557.phpt | 79 |
3 files changed, 83 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 1147980f77..cad29b7295 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2728,6 +2728,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu int NumDirEntries, old_motorola_intel, offset_diff; const maker_note_type *maker_note; char *dir_start; + int data_len; for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) { if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) { @@ -2782,6 +2783,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu switch (maker_note->offset_mode) { case MN_OFFSET_MAKER: offset_base = value_ptr; + data_len = value_len; break; case MN_OFFSET_GUESS: if (maker_note->offset + 10 + 4 >= value_len) { @@ -2798,6 +2800,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu return FALSE; } offset_base = value_ptr + offset_diff; + data_len = value_len - offset_diff; break; default: case MN_OFFSET_NORMAL: @@ -2811,7 +2814,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu for (de=0;de<NumDirEntries;de++) { if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, - offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) { + offset_base, data_len, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) { return FALSE; } } diff --git a/ext/exif/tests/bug76557.jpg b/ext/exif/tests/bug76557.jpg Binary files differnew file mode 100644 index 0000000000..d678f07c0f --- /dev/null +++ b/ext/exif/tests/bug76557.jpg diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt new file mode 100644 index 0000000000..4553b62772 --- /dev/null +++ b/ext/exif/tests/bug76557.phpt @@ -0,0 +1,79 @@ +--TEST-- +Bug 76557 (heap-buffer-overflow (READ of size 48) while reading exif data) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +var_dump(count(exif_read_data(dirname(__FILE__) . "/bug76557.jpg"))); +?> +DONE +--EXPECTF-- +Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d +int(1) +DONE |