summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2018-06-19 16:26:36 -0700
committerStanislav Malyshev <stas@php.net>2018-07-16 14:16:58 -0700
commit1baeae42703f9b2ec21fff787146eeca08d45535 (patch)
tree361a780b72effa9f2eb4612e0808809957992767
parentfe3d53f4437718fad63850695970dddd63144af5 (diff)
downloadphp-git-1baeae42703f9b2ec21fff787146eeca08d45535.tar.gz
Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
Diffstat
-rw-r--r--ext/exif/exif.c5
-rw-r--r--ext/exif/tests/bug76423.jpgbin0 -> 1537 bytes
-rw-r--r--ext/exif/tests/bug76423.phpt19
3 files changed, 23 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index e535278fc9..1147980f77 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2545,7 +2545,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz
return;
}
/* Check to make sure we are not going to go past the ExifLength */
- if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {
+ if (ImageInfo->Thumbnail.size > length
+ || (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length
+ || ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size
+ ) {
EXIF_ERRLOG_THUMBEOF(ImageInfo)
return;
}
diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg
new file mode 100644
index 0000000000..08fe2bbc57
--- /dev/null
+++ b/ext/exif/tests/bug76423.jpg
Binary files differ
diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt
new file mode 100644
index 0000000000..4c8cd45dc9
--- /dev/null
+++ b/ext/exif/tests/bug76423.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true);
+?>
+===DONE===
+--EXPECTF--
+
+Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d
+
+Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d
+
+Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d
+===DONE===
View Lorry Controller Status