diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-12-16 10:04:03 -0800 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-17 09:33:21 +0100 |
| commit | 3371c84ff1d945213384881aefd2d195cb34f569 (patch) | |
| tree | c6e015623ff2b3b720e0625b58e84f1d7d672671 | |
| parent | df5ec733ff0daae6894aee85384f55b48461be08 (diff) | |
| download | php-git-3371c84ff1d945213384881aefd2d195cb34f569.tar.gz | |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fix test
Fix bug #78793
(cherry picked from commit 5cb4686753a853cb07844feb2b082b409fd7e880)
| -rw-r--r-- | ext/exif/exif.c | 5 | ||||
| -rw-r--r-- | ext/exif/tests/bug76557.phpt | 2 | ||||
| -rw-r--r-- | ext/exif/tests/bug78793.phpt | 12 |
3 files changed, 16 insertions, 3 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index afc299846e..f6dd08e881 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3213,8 +3213,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu } for (de=0;de<NumDirEntries;de++) { - if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, - offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) { + size_t offset = 2 + 12 * de; + if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, + offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) { return FALSE; } } diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt index 0b48b792ea..162e8d99a5 100644 --- a/ext/exif/tests/bug76557.phpt +++ b/ext/exif/tests/bug76557.phpt @@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d -Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt new file mode 100644 index 0000000000..033f255ace --- /dev/null +++ b/ext/exif/tests/bug78793.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #78793: Use-after-free in exif parsing under memory sanitizer +--FILE-- +<?php +$f = "ext/exif/tests/bug77950.tiff"; +for ($i = 0; $i < 10; $i++) { + @exif_read_data($f); +} +?> +===DONE=== +--EXPECT-- +===DONE=== |