From 0a421c7f5820f11cc37e32edd60eb8f0f92eb754 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 16 Jul 2018 16:53:57 -0700
Subject: Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:
  Fixed bug #76459 windows linkinfo lacks openbasedir check
  Add NEWS
  Fixed bug #76459 windows linkinfo lacks openbasedir check
  Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data
  Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
---
 ext/exif/exif.c              |  12 +++++--
 ext/exif/tests/bug76423.jpg  | Bin 0 -> 1537 bytes
 ext/exif/tests/bug76423.phpt |  19 +++++++++++
 ext/exif/tests/bug76557.jpg  | Bin 0 -> 2372 bytes
 ext/exif/tests/bug76557.phpt |  79 +++++++++++++++++++++++++++++++++++++++++++
 ext/standard/link_win32.c    |  11 ++++++
 6 files changed, 118 insertions(+), 3 deletions(-)
 create mode 100644 ext/exif/tests/bug76423.jpg
 create mode 100644 ext/exif/tests/bug76423.phpt
 create mode 100644 ext/exif/tests/bug76557.jpg
 create mode 100644 ext/exif/tests/bug76557.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 67e827b441..3a76d8fde8 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2944,7 +2944,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz
 		return;
 	}
 	/* Check to make sure we are not going to go past the ExifLength */
-	if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {
+	if (ImageInfo->Thumbnail.size > length
+		|| (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length
+		|| ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size
+	) {
 		EXIF_ERRLOG_THUMBEOF(ImageInfo)
 		return;
 	}
@@ -3126,7 +3129,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 #endif
 	const maker_note_type *maker_note;
 	char *dir_start;
-	
+	int data_len;
+
 	for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
 		if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {
 #ifdef EXIF_DEBUG
@@ -3180,6 +3184,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	switch (maker_note->offset_mode) {
 		case MN_OFFSET_MAKER:
 			offset_base = value_ptr;
+			data_len = value_len;
 			break;
 #ifdef KALLE_0
 		case MN_OFFSET_GUESS:
@@ -3197,6 +3202,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 				return FALSE;
 			}
 			offset_base = value_ptr + offset_diff;
+			data_len = value_len - offset_diff;
 			break;
 #endif
 		default:
@@ -3211,7 +3217,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 
 	for (de=0;de<NumDirEntries;de++) {
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
-								  offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table)) {
+								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
 			return FALSE;
 		}
 	}
diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg
new file mode 100644
index 0000000000..08fe2bbc57
Binary files /dev/null and b/ext/exif/tests/bug76423.jpg differ
diff --git a/ext/exif/tests/bug76423.phpt b/ext/exif/tests/bug76423.phpt
new file mode 100644
index 0000000000..4c8cd45dc9
--- /dev/null
+++ b/ext/exif/tests/bug76423.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true);
+?>
+===DONE===
+--EXPECTF--
+
+Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d
+
+Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d
+
+Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d
+===DONE===
diff --git a/ext/exif/tests/bug76557.jpg b/ext/exif/tests/bug76557.jpg
new file mode 100644
index 0000000000..d678f07c0f
Binary files /dev/null and b/ext/exif/tests/bug76557.jpg differ
diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
new file mode 100644
index 0000000000..4553b62772
--- /dev/null
+++ b/ext/exif/tests/bug76557.phpt
@@ -0,0 +1,79 @@
+--TEST--
+Bug 76557 (heap-buffer-overflow (READ of size 48) while reading exif data)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug76557.jpg")));
+?>
+DONE
+--EXPECTF--
+Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make       ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote  ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
+
+Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d
+int(1)
+DONE
diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c
index 898928b2af..b46dee6a26 100644
--- a/ext/standard/link_win32.c
+++ b/ext/standard/link_win32.c
@@ -87,6 +87,7 @@ PHP_FUNCTION(readlink)
 PHP_FUNCTION(linkinfo)
 {
 	char *link;
+	char *dirname;
 	size_t link_len;
 	zend_stat_t sb;
 	int ret;
@@ -95,12 +96,22 @@ PHP_FUNCTION(linkinfo)
 		return;
 	}
 
+	dirname = estrndup(link, link_len);
+	php_dirname(dirname, link_len);
+
+	if (php_check_open_basedir(dirname)) {
+		efree(dirname);
+		RETURN_FALSE;
+	}
+
 	ret = VCWD_STAT(link, &sb);
 	if (ret == -1) {
 		php_error_docref(NULL, E_WARNING, "%s", strerror(errno));
+		efree(dirname);
 		RETURN_LONG(Z_L(-1));
 	}
 
+	efree(dirname);
 	RETURN_LONG((zend_long) sb.st_dev);
 }
 /* }}} */
-- 
cgit v1.2.1