diff options
| author | Stefan Esser <sesser@php.net> | 2005-03-02 18:21:45 +0000 |
|---|---|---|
| committer | Stefan Esser <sesser@php.net> | 2005-03-02 18:21:45 +0000 |
| commit | 4d5599f6e011aa8a3841bbbcfbd947368d1172c6 (patch) | |
| tree | 4909d177b37c370fc5a6b875938666cd909d11ab | |
| parent | bd5e6e6232daf9b1daa0b7d2807c39d6f27f1e75 (diff) | |
| download | php-git-4d5599f6e011aa8a3841bbbcfbd947368d1172c6.tar.gz | |
Fixed possible bufferoverflow
| -rw-r--r-- | ext/exif/exif.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 9d4bc0760b..724689d3f2 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2733,6 +2733,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha byte_count = components * php_tiff_bytes_per_format[format]; + if ((ssize_t)byte_count < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ |