Fix bug #67250 (iptcparse out-of-bounds read)

author: Stanislav Malyshev <stas@php.net> 2014-05-11 19:09:19 -0700
committer: Stanislav Malyshev <stas@php.net> 2014-05-11 19:09:19 -0700
commit: 3e9cb6a4a5504c888f185a5ab7d1cc02cc359cbe (patch)
tree: 65137cb2b03c450263f6886d975c53b09f16446d /ext/standard/iptc.c
parent: 2b475eebbea85779989e98e87753d6b023a1d131 (diff)
download: php-git-3e9cb6a4a5504c888f185a5ab7d1cc02cc359cbe.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index 3257339106..d2c14c98c7 100644
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -329,6 +329,9 @@ PHP_FUNCTION(iptcparse)
 		recnum = buffer[ inx++ ];
 
 		if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */
+            if((inx+6) >= str_len) {
+                break;
+            }
 			len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + 
 				  (((long) buffer[ inx + 4 ]) <<  8) + (((long) buffer[ inx + 5 ]));
 			inx += 6;
author	Stanislav Malyshev <stas@php.net>	2014-05-11 19:09:19 -0700
committer	Stanislav Malyshev <stas@php.net>	2014-05-11 19:09:19 -0700
commit	3e9cb6a4a5504c888f185a5ab7d1cc02cc359cbe (patch)
tree	65137cb2b03c450263f6886d975c53b09f16446d /ext/standard/iptc.c
parent	2b475eebbea85779989e98e87753d6b023a1d131 (diff)
download	php-git-3e9cb6a4a5504c888f185a5ab7d1cc02cc359cbe.tar.gz