diff options
author | Stanislav Malyshev <stas@php.net> | 2019-07-07 17:01:01 -0700 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-07-30 09:11:53 +0200 |
commit | f22101c8308669bb63c03a73a2cac2408d844f38 (patch) | |
tree | 918cf86c64a7d57e028846165fcffe787e9c2ffb | |
parent | d561a998c9313749ad2b488685e5c2bec661bc69 (diff) | |
download | php-git-f22101c8308669bb63c03a73a2cac2408d844f38.tar.gz |
Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
(cherry picked from commit dea2989ab8ba87a6180af497b2efaf0527e985c5)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/exif/exif.c | 2 | ||||
-rw-r--r-- | ext/exif/tests/bug78222.jpg | bin | 0 -> 91 bytes | |||
-rw-r--r-- | ext/exif/tests/bug78222.phpt | 11 |
4 files changed, 16 insertions, 1 deletions
@@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 7.3.8 +- EXIF: + . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). + (CVE-2019-11041) (Stas) + - OPcache: . Fixed bug #78341 (Failure to detect smart branch in DFA pass). (Nikita) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index e04290376c..aa272c1d2b 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3892,7 +3892,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) size_t length=2, pos=0; jpeg_sof_info sof_info; - if (!data) { + if (!data || ImageInfo->Thumbnail.size < 4) { return FALSE; /* nothing to do here */ } if (memcmp(data, "\xFF\xD8\xFF", 3)) { diff --git a/ext/exif/tests/bug78222.jpg b/ext/exif/tests/bug78222.jpg Binary files differnew file mode 100644 index 0000000000..a96e16be51 --- /dev/null +++ b/ext/exif/tests/bug78222.jpg diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt new file mode 100644 index 0000000000..0e4ead33e4 --- /dev/null +++ b/ext/exif/tests/bug78222.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE); +?> +DONE +--EXPECTF-- +DONE
\ No newline at end of file |