diff options
author | Stanislav Malyshev <stas@php.net> | 2018-06-19 16:26:36 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-07-16 14:16:58 -0700 |
commit | 1baeae42703f9b2ec21fff787146eeca08d45535 (patch) | |
tree | 361a780b72effa9f2eb4612e0808809957992767 | |
parent | fe3d53f4437718fad63850695970dddd63144af5 (diff) | |
download | php-git-1baeae42703f9b2ec21fff787146eeca08d45535.tar.gz |
Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
-rw-r--r-- | ext/exif/exif.c | 5 | ||||
-rw-r--r-- | ext/exif/tests/bug76423.jpg | bin | 0 -> 1537 bytes | |||
-rw-r--r-- | ext/exif/tests/bug76423.phpt | 19 |
3 files changed, 23 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index e535278fc9..1147980f77 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2545,7 +2545,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz return; } /* Check to make sure we are not going to go past the ExifLength */ - if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) { + if (ImageInfo->Thumbnail.size > length + || (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length + || ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size + ) { EXIF_ERRLOG_THUMBEOF(ImageInfo) return; } diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg Binary files differnew file mode 100644 index 0000000000..08fe2bbc57 --- /dev/null +++ b/ext/exif/tests/bug76423.jpg diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt new file mode 100644 index 0000000000..4c8cd45dc9 --- /dev/null +++ b/ext/exif/tests/bug76423.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c) +--SKIPIF-- +<?php +if (!extension_loaded('exif')) die('skip exif extension not available'); +?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true); +?> +===DONE=== +--EXPECTF-- + +Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d + +Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d + +Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d +===DONE=== |