diff options
author | Stanislav Malyshev <stas@php.net> | 2018-07-16 16:52:36 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-07-16 16:52:36 -0700 |
commit | 4e92cd172a0f4aebd80b5b6279f2564a179d3913 (patch) | |
tree | c71268793f3df5fa86392a48748a3b7dfedec57a /ext/exif | |
parent | 0f8c1ee76d5d2aa90bf667215e41eed60ca6cbcd (diff) | |
parent | bddf8140e4ad9ae7e1ee9b03e2c4998da205af82 (diff) | |
download | php-git-4e92cd172a0f4aebd80b5b6279f2564a179d3913.tar.gz |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fixed bug #76459 windows linkinfo lacks openbasedir check
Add NEWS
Fixed bug #76459 windows linkinfo lacks openbasedir check
Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data
Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
Diffstat (limited to 'ext/exif')
-rw-r--r-- | ext/exif/exif.c | 10 | ||||
-rw-r--r-- | ext/exif/tests/bug76423.jpg | bin | 0 -> 1537 bytes | |||
-rw-r--r-- | ext/exif/tests/bug76423.phpt | 19 | ||||
-rw-r--r-- | ext/exif/tests/bug76557.jpg | bin | 0 -> 2372 bytes | |||
-rw-r--r-- | ext/exif/tests/bug76557.phpt | 79 |
5 files changed, 106 insertions, 2 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index b30bcb468f..cbde3effed 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2536,7 +2536,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz return; } /* Check to make sure we are not going to go past the ExifLength */ - if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) { + if (ImageInfo->Thumbnail.size > length + || (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length + || ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size + ) { EXIF_ERRLOG_THUMBEOF(ImageInfo) return; } @@ -2715,6 +2718,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu int NumDirEntries, old_motorola_intel, offset_diff; const maker_note_type *maker_note; char *dir_start; + int data_len; for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) { if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) { @@ -2769,6 +2773,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu switch (maker_note->offset_mode) { case MN_OFFSET_MAKER: offset_base = value_ptr; + data_len = value_len; break; case MN_OFFSET_GUESS: if (maker_note->offset + 10 + 4 >= value_len) { @@ -2785,6 +2790,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu return FALSE; } offset_base = value_ptr + offset_diff; + data_len = value_len - offset_diff; break; default: case MN_OFFSET_NORMAL: @@ -2798,7 +2804,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu for (de=0;de<NumDirEntries;de++) { if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, - offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table)) { + offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) { return FALSE; } } diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg Binary files differnew file mode 100644 index 0000000000..08fe2bbc57 --- /dev/null +++ b/ext/exif/tests/bug76423.jpg diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt new file mode 100644 index 0000000000..4c8cd45dc9 --- /dev/null +++ b/ext/exif/tests/bug76423.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c) +--SKIPIF-- +<?php +if (!extension_loaded('exif')) die('skip exif extension not available'); +?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true); +?> +===DONE=== +--EXPECTF-- + +Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d + +Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d + +Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d +===DONE=== diff --git a/ext/exif/tests/bug76557.jpg b/ext/exif/tests/bug76557.jpg Binary files differnew file mode 100644 index 0000000000..d678f07c0f --- /dev/null +++ b/ext/exif/tests/bug76557.jpg diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt new file mode 100644 index 0000000000..4553b62772 --- /dev/null +++ b/ext/exif/tests/bug76557.phpt @@ -0,0 +1,79 @@ +--TEST-- +Bug 76557 (heap-buffer-overflow (READ of size 48) while reading exif data) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +var_dump(count(exif_read_data(dirname(__FILE__) . "/bug76557.jpg"))); +?> +DONE +--EXPECTF-- +Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d + +Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d +int(1) +DONE |