diff options
author | Stanislav Malyshev <stas@php.net> | 2020-03-15 17:26:00 -0700 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-03-17 09:25:22 +0100 |
commit | c099c71ea5c25cf6b435cbf288e35403c49c17a6 (patch) | |
tree | 938877f8e2d8b3289378ec18c27d29970671d13d | |
parent | f930ff52f45620eec2b2960f9e0a96d258ca1891 (diff) | |
download | php-git-c099c71ea5c25cf6b435cbf288e35403c49c17a6.tar.gz |
Fixed bug #79282
(cherry picked from commit 25238bdf6005b85ab844aa2b743b589dfce9f0d2)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/exif/exif.c | 7 | ||||
-rw-r--r-- | ext/exif/tests/bug79282.phpt | 15 |
3 files changed, 25 insertions, 1 deletions
@@ -26,6 +26,10 @@ PHP NEWS . Fixed bug #79311 (enchant_dict_suggest() fails on big endian architecture). (cmb) +- EXIF: + . Fixed bug #79282 (Use-of-uninitialized-value in exif). (CVE-2020-7064) + (Nikita) + - MySQLi: . Fixed bug #64032 (mysqli reports different client_version). (cmb) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f6dd08e881..95d8fc9e45 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3665,6 +3665,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, { unsigned exif_value_2a, offset_of_ifd; + if (length < 2) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); + return; + } + /* set the thumbnail stuff to nothing so we can test to see if they get set up */ if (memcmp(CharBuf, "II", 2) == 0) { ImageInfo->motorola_intel = 0; @@ -3817,7 +3822,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) return FALSE; } - sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); + sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); Data = ImageInfo->file.list[sn].data; /* Store first two pre-read bytes. */ diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt new file mode 100644 index 0000000000..7b7e365657 --- /dev/null +++ b/ext/exif/tests/bug79282.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #79282: Use-of-uninitialized-value in exif +--FILE-- +<?php + +var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + +?> +--EXPECTF-- +Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d + +Warning: exif_read_data(): File structure corrupted in %s on line %d + +Warning: exif_read_data(): Invalid JPEG file in %s on line %d +bool(false) |