- fix bug #54002, exif_read_data crashes on crafted tags

4 files changed, 35 insertions, 2 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index d5f051d423..289dd2f1d7 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -40,6 +40,10 @@
 #include "php.h"
 #include "ext/standard/file.h"
 
+#ifdef PHP_WIN32
+include "win32/php_stdint.h"
+#endif
+
 #if HAVE_EXIF
 
 /* When EXIF_DEBUG is defined the module generates a lot of debug messages
@@ -2821,6 +2825,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 	int tag, format, components;
 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
 	size_t byte_count, offset_val, fpos, fgot;
+	int64_t byte_count_signed;
 	xp_field_type *tmp_xp;
 #ifdef EXIF_DEBUG
 	char *dump_data;
@@ -2845,13 +2850,20 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 		/*return TRUE;*/
 	}
 
-	byte_count = components * php_tiff_bytes_per_format[format];
+	if (components < 0) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+		return FALSE;
+	}
+
+	byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
 
-	if ((ssize_t)byte_count < 0) {
+	if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
 		return FALSE;
 	}
 
+	byte_count = (size_t)byte_count_signed;
+
 	if (byte_count > 4) {
 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
@@ -2916,6 +2928,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 		efree(dump_data);
 	}
 #endif
+
 	if (section_index==SECTION_THUMBNAIL) {
 		if (!ImageInfo->Thumbnail.data) {
 			switch(tag) {
diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt
new file mode 100644
index 0000000000..58701bbe09
--- /dev/null
+++ b/ext/exif/tests/bug54002.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #54002 (crash on crafted tag)
+--INI--
+memory_limit=-1
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug54002_1.jpeg');
+exif_read_data(__DIR__ . '/bug54002_2.jpeg');
+
+?>
+--EXPECTF--
+Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(8) in %sbug54002.php on line %d
+
+Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
+
+Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(8) in %sbug54002.php on line %d
+
+Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
diff --git a/ext/exif/tests/bug54002_1.jpeg b/ext/exif/tests/bug54002_1.jpeg
new file mode 100644
index 0000000000..a622d6d213
--- /dev/null
+++ b/ext/exif/tests/bug54002_1.jpeg
diff --git a/ext/exif/tests/bug54002_2.jpeg b/ext/exif/tests/bug54002_2.jpeg
new file mode 100644
index 0000000000..a622d6d213
--- /dev/null
+++ b/ext/exif/tests/bug54002_2.jpeg