diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-04-26 23:48:41 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-04-26 23:48:41 -0700 |
| commit | e315a162da99f59e82a5272714a6f3d4d724b037 (patch) | |
| tree | 7c2e9af8912bc69dd95100f25138bc190090ed7b /ext/exif/exif.c | |
| parent | 9f389cccfd5b0e0b8407d6d12a1c6b5acd3c4206 (diff) | |
| parent | 61c7a06e7c19d9b408db1129efa0959a0acbf0b1 (diff) | |
| download | php-git-e315a162da99f59e82a5272714a6f3d4d724b037.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
Fix memory leak
Fix bug #72099: xml_parse_into_struct segmentation fault
5.5.36 now
Fix bug #72094 - Out of bounds heap read access in exif header processing
Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
Fix for bug #71912 (libgd: signedness vulnerability)
Typo in NEWS
Conflicts:
configure.in
main/php_version.h
Diffstat (limited to 'ext/exif/exif.c')
| -rw-r--r-- | ext/exif/exif.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f94e075e5a..db007ca2e6 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2955,7 +2955,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha /* When there are any characters after the first NUL */ ImageInfo->CopyrightPhotographer = estrdup(value_ptr); ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); - spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); + spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ @@ -3124,6 +3124,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, ImageInfo->sections_found |= FOUND_IFD0; + if ((dir_start + 2) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { @@ -3147,6 +3152,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, * Hack to make it process IDF1 I hope * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail */ + if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); if (NextDirOffset) { /* the next line seems false but here IFDlength means length of all IFDs */ @@ -3196,9 +3205,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, } /* Check the next two values for correctness. */ + if (length < 8) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); - if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } |