diff options
author | Stanislav Malyshev <stas@php.net> | 2014-05-11 19:09:19 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-05-11 19:09:19 -0700 |
commit | 3e9cb6a4a5504c888f185a5ab7d1cc02cc359cbe (patch) | |
tree | 65137cb2b03c450263f6886d975c53b09f16446d | |
parent | 2b475eebbea85779989e98e87753d6b023a1d131 (diff) | |
download | php-git-3e9cb6a4a5504c888f185a5ab7d1cc02cc359cbe.tar.gz |
Fix bug #67250 (iptcparse out-of-bounds read)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/standard/iptc.c | 3 | ||||
-rw-r--r-- | ext/standard/tests/image/bug67250.phpt | 8 |
3 files changed, 12 insertions, 0 deletions
@@ -12,6 +12,7 @@ PHP NEWS . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c). (Bob) . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas) + . Fixed bug #67250 (iptcparse out-of-bounds read). (Stas) - Date: . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol) diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 3257339106..d2c14c98c7 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -329,6 +329,9 @@ PHP_FUNCTION(iptcparse) recnum = buffer[ inx++ ]; if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */ + if((inx+6) >= str_len) { + break; + } len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + (((long) buffer[ inx + 4 ]) << 8) + (((long) buffer[ inx + 5 ])); inx += 6; diff --git a/ext/standard/tests/image/bug67250.phpt b/ext/standard/tests/image/bug67250.phpt new file mode 100644 index 0000000000..607de9f3b6 --- /dev/null +++ b/ext/standard/tests/image/bug67250.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #67250 (iptcparse out-of-bounds read) +--FILE-- +<?php +var_dump(iptcparse("\x1C\x02_\x80___")); +?> +--EXPECT-- +bool(false) |