diff options
author | Stanislav Malyshev <stas@php.net> | 2016-01-26 17:26:52 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-01-26 17:30:50 -0800 |
commit | f379142d66885cae8b13db884ff76fe398421884 (patch) | |
tree | 13b876dbd14b8a3f985a8353a25731a7073ad1a0 /ext/standard/iptc.c | |
parent | 52e0c4081f8454e9086fc7d1bd1a338ac4e05868 (diff) | |
download | php-git-f379142d66885cae8b13db884ff76fe398421884.tar.gz |
Fix bug #71459 - Integer overflow in iptcembed()
Diffstat (limited to 'ext/standard/iptc.c')
-rw-r--r-- | ext/standard/iptc.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index a3547067f6..b10d84415f 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -196,6 +196,11 @@ PHP_FUNCTION(iptcembed) RETURN_FALSE; } + if (iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large"); + RETURN_FALSE; + } + if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) { php_error_docref(NULL, E_WARNING, "Unable to open %s", jpeg_file); RETURN_FALSE; @@ -204,7 +209,7 @@ PHP_FUNCTION(iptcembed) if (spool < 2) { zend_fstat(fileno(fp), &sb); - spoolbuf = zend_string_alloc(iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 0); + spoolbuf = zend_string_safe_alloc(1, iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size, 0); poi = (unsigned char*)ZSTR_VAL(spoolbuf); memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1); } |