From 64043cb9e5d8bc5af719678893e38ee0290e0c0a Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Fri, 28 Aug 2015 22:25:41 -0700 Subject: Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes) --- ext/exif/exif.c | 208 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 104 insertions(+), 104 deletions(-) (limited to 'ext/exif') diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 7f95ff43ea..43e68c449e 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -74,7 +74,7 @@ #include "php_ini.h" #include "ext/standard/php_string.h" #include "ext/standard/php_image.h" -#include "ext/standard/info.h" +#include "ext/standard/info.h" /* needed for ssize_t definition */ #include @@ -161,7 +161,7 @@ ZEND_BEGIN_MODULE_GLOBALS(exif) char * encode_jis; char * decode_jis_be; char * decode_jis_le; -ZEND_END_MODULE_GLOBALS(exif) +ZEND_END_MODULE_GLOBALS(exif) ZEND_DECLARE_MODULE_GLOBALS(exif) @@ -170,7 +170,7 @@ ZEND_DECLARE_MODULE_GLOBALS(exif) #else #define EXIF_G(v) (exif_globals.v) #endif - + /* {{{ PHP_INI */ @@ -213,7 +213,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("exif.decode_jis_intel", "JIS", PHP_INI_ALL, OnUpdateDecode, decode_jis_le, zend_exif_globals, exif_globals) PHP_INI_END() /* }}} */ - + /* {{{ PHP_GINIT_FUNCTION */ static PHP_GINIT_FUNCTION(exif) @@ -233,9 +233,9 @@ PHP_MINIT_FUNCTION(exif) { REGISTER_INI_ENTRIES(); if (zend_hash_exists(&module_registry, "mbstring", sizeof("mbstring"))) { - REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT); } else { - REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT); } return SUCCESS; } @@ -265,7 +265,7 @@ zend_module_entry exif_module_entry = { exif_module_deps, "exif", exif_functions, - PHP_MINIT(exif), + PHP_MINIT(exif), PHP_MSHUTDOWN(exif), NULL, NULL, PHP_MINFO(exif), @@ -278,7 +278,7 @@ zend_module_entry exif_module_entry = { NULL, NULL, STANDARD_MODULE_PROPERTIES_EX -#else +#else STANDARD_MODULE_PROPERTIES #endif }; @@ -667,73 +667,73 @@ static tag_info_array tag_table_IFD = { { 0x0213, "YCbCrPositioning"}, { 0x0214, "ReferenceBlackWhite"}, { 0x02BC, "ExtensibleMetadataPlatform"}, /* XAP: Extensible Authoring Publishing, obsoleted by XMP: Extensible Metadata Platform */ - { 0x0301, "Gamma"}, - { 0x0302, "ICCProfileDescriptor"}, - { 0x0303, "SRGBRenderingIntent"}, - { 0x0320, "ImageTitle"}, - { 0x5001, "ResolutionXUnit"}, - { 0x5002, "ResolutionYUnit"}, - { 0x5003, "ResolutionXLengthUnit"}, - { 0x5004, "ResolutionYLengthUnit"}, - { 0x5005, "PrintFlags"}, - { 0x5006, "PrintFlagsVersion"}, - { 0x5007, "PrintFlagsCrop"}, - { 0x5008, "PrintFlagsBleedWidth"}, - { 0x5009, "PrintFlagsBleedWidthScale"}, - { 0x500A, "HalftoneLPI"}, - { 0x500B, "HalftoneLPIUnit"}, - { 0x500C, "HalftoneDegree"}, - { 0x500D, "HalftoneShape"}, - { 0x500E, "HalftoneMisc"}, - { 0x500F, "HalftoneScreen"}, - { 0x5010, "JPEGQuality"}, - { 0x5011, "GridSize"}, - { 0x5012, "ThumbnailFormat"}, - { 0x5013, "ThumbnailWidth"}, - { 0x5014, "ThumbnailHeight"}, - { 0x5015, "ThumbnailColorDepth"}, - { 0x5016, "ThumbnailPlanes"}, - { 0x5017, "ThumbnailRawBytes"}, - { 0x5018, "ThumbnailSize"}, - { 0x5019, "ThumbnailCompressedSize"}, - { 0x501A, "ColorTransferFunction"}, - { 0x501B, "ThumbnailData"}, - { 0x5020, "ThumbnailImageWidth"}, - { 0x5021, "ThumbnailImageHeight"}, - { 0x5022, "ThumbnailBitsPerSample"}, - { 0x5023, "ThumbnailCompression"}, - { 0x5024, "ThumbnailPhotometricInterp"}, - { 0x5025, "ThumbnailImageDescription"}, - { 0x5026, "ThumbnailEquipMake"}, - { 0x5027, "ThumbnailEquipModel"}, - { 0x5028, "ThumbnailStripOffsets"}, - { 0x5029, "ThumbnailOrientation"}, - { 0x502A, "ThumbnailSamplesPerPixel"}, - { 0x502B, "ThumbnailRowsPerStrip"}, - { 0x502C, "ThumbnailStripBytesCount"}, - { 0x502D, "ThumbnailResolutionX"}, - { 0x502E, "ThumbnailResolutionY"}, - { 0x502F, "ThumbnailPlanarConfig"}, - { 0x5030, "ThumbnailResolutionUnit"}, - { 0x5031, "ThumbnailTransferFunction"}, - { 0x5032, "ThumbnailSoftwareUsed"}, - { 0x5033, "ThumbnailDateTime"}, - { 0x5034, "ThumbnailArtist"}, - { 0x5035, "ThumbnailWhitePoint"}, - { 0x5036, "ThumbnailPrimaryChromaticities"}, - { 0x5037, "ThumbnailYCbCrCoefficients"}, - { 0x5038, "ThumbnailYCbCrSubsampling"}, - { 0x5039, "ThumbnailYCbCrPositioning"}, - { 0x503A, "ThumbnailRefBlackWhite"}, - { 0x503B, "ThumbnailCopyRight"}, - { 0x5090, "LuminanceTable"}, - { 0x5091, "ChrominanceTable"}, - { 0x5100, "FrameDelay"}, - { 0x5101, "LoopCount"}, - { 0x5110, "PixelUnit"}, - { 0x5111, "PixelPerUnitX"}, - { 0x5112, "PixelPerUnitY"}, - { 0x5113, "PaletteHistogram"}, + { 0x0301, "Gamma"}, + { 0x0302, "ICCProfileDescriptor"}, + { 0x0303, "SRGBRenderingIntent"}, + { 0x0320, "ImageTitle"}, + { 0x5001, "ResolutionXUnit"}, + { 0x5002, "ResolutionYUnit"}, + { 0x5003, "ResolutionXLengthUnit"}, + { 0x5004, "ResolutionYLengthUnit"}, + { 0x5005, "PrintFlags"}, + { 0x5006, "PrintFlagsVersion"}, + { 0x5007, "PrintFlagsCrop"}, + { 0x5008, "PrintFlagsBleedWidth"}, + { 0x5009, "PrintFlagsBleedWidthScale"}, + { 0x500A, "HalftoneLPI"}, + { 0x500B, "HalftoneLPIUnit"}, + { 0x500C, "HalftoneDegree"}, + { 0x500D, "HalftoneShape"}, + { 0x500E, "HalftoneMisc"}, + { 0x500F, "HalftoneScreen"}, + { 0x5010, "JPEGQuality"}, + { 0x5011, "GridSize"}, + { 0x5012, "ThumbnailFormat"}, + { 0x5013, "ThumbnailWidth"}, + { 0x5014, "ThumbnailHeight"}, + { 0x5015, "ThumbnailColorDepth"}, + { 0x5016, "ThumbnailPlanes"}, + { 0x5017, "ThumbnailRawBytes"}, + { 0x5018, "ThumbnailSize"}, + { 0x5019, "ThumbnailCompressedSize"}, + { 0x501A, "ColorTransferFunction"}, + { 0x501B, "ThumbnailData"}, + { 0x5020, "ThumbnailImageWidth"}, + { 0x5021, "ThumbnailImageHeight"}, + { 0x5022, "ThumbnailBitsPerSample"}, + { 0x5023, "ThumbnailCompression"}, + { 0x5024, "ThumbnailPhotometricInterp"}, + { 0x5025, "ThumbnailImageDescription"}, + { 0x5026, "ThumbnailEquipMake"}, + { 0x5027, "ThumbnailEquipModel"}, + { 0x5028, "ThumbnailStripOffsets"}, + { 0x5029, "ThumbnailOrientation"}, + { 0x502A, "ThumbnailSamplesPerPixel"}, + { 0x502B, "ThumbnailRowsPerStrip"}, + { 0x502C, "ThumbnailStripBytesCount"}, + { 0x502D, "ThumbnailResolutionX"}, + { 0x502E, "ThumbnailResolutionY"}, + { 0x502F, "ThumbnailPlanarConfig"}, + { 0x5030, "ThumbnailResolutionUnit"}, + { 0x5031, "ThumbnailTransferFunction"}, + { 0x5032, "ThumbnailSoftwareUsed"}, + { 0x5033, "ThumbnailDateTime"}, + { 0x5034, "ThumbnailArtist"}, + { 0x5035, "ThumbnailWhitePoint"}, + { 0x5036, "ThumbnailPrimaryChromaticities"}, + { 0x5037, "ThumbnailYCbCrCoefficients"}, + { 0x5038, "ThumbnailYCbCrSubsampling"}, + { 0x5039, "ThumbnailYCbCrPositioning"}, + { 0x503A, "ThumbnailRefBlackWhite"}, + { 0x503B, "ThumbnailCopyRight"}, + { 0x5090, "LuminanceTable"}, + { 0x5091, "ChrominanceTable"}, + { 0x5100, "FrameDelay"}, + { 0x5101, "LoopCount"}, + { 0x5110, "PixelUnit"}, + { 0x5111, "PixelPerUnitX"}, + { 0x5112, "PixelPerUnitY"}, + { 0x5113, "PaletteHistogram"}, { 0x1000, "RelatedImageFileFormat"}, { 0x800D, "ImageID"}, { 0x80E3, "Matteing"}, /* obsoleted by ExtraSamples */ @@ -939,7 +939,7 @@ static tag_info_array tag_table_VND_NIKON = { { 0x000b, "Converter"}, TAG_TABLE_END }; - + static tag_info_array tag_table_VND_NIKON_990 = { { 0x0001, "Version"}, { 0x0002, "ISOSetting"}, @@ -958,7 +958,7 @@ static tag_info_array tag_table_VND_NIKON_990 = { { 0x0010, "DataDump"}, TAG_TABLE_END }; - + static tag_info_array tag_table_VND_OLYMPUS = { { 0x0200, "SpecialMode"}, { 0x0201, "JPEGQuality"}, @@ -1224,7 +1224,7 @@ char * exif_dump_data(int *dump_free, int format, int components, int length, in if (components > 0) { dump = erealloc(dump, len + 2 + 1); snprintf(dump + len, 2 + 1, ", "); - len += 2; + len += 2; components--; } else{ break; @@ -1574,7 +1574,7 @@ typedef struct { static void exif_error_docref(const char *docref EXIFERR_DC, const image_info_type *ImageInfo, int type, const char *format, ...) { va_list args; - + va_start(args, format); #ifdef EXIF_DEBUG { @@ -2627,7 +2627,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; ByteCount -= 8; - /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) + /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) * since we have no encoding support for the BOM yet we skip that. */ if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { @@ -2645,8 +2645,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)pszInfoPtr, - &len, + (unsigned char**)pszInfoPtr, + &len, (unsigned char*)szValuePtr, ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), @@ -2666,8 +2666,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount -= 8; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)pszInfoPtr, - &len, + (unsigned char**)pszInfoPtr, + &len, (unsigned char*)szValuePtr, ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), @@ -2701,12 +2701,12 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP * Process unicode field in IFD. */ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { - xp_field->tag = tag; + xp_field->tag = tag; xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)&xp_field->value, - &xp_field->size, + (unsigned char**)&xp_field->value, + &xp_field->size, (unsigned char*)szValuePtr, ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), @@ -2731,7 +2731,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) return FALSE; maker_note = maker_note_array+i; - + /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s,%s)", maker_note->make?maker_note->make:"", maker_note->model?maker_note->model:"");*/ if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make))) continue; @@ -2852,9 +2852,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - /* + /* dir_entry is ImageInfo->file.list[sn].data+2+i*12 - offset_base is ImageInfo->file.list[sn].data-dir_offset + offset_base is ImageInfo->file.list[sn].data-dir_offset dir_entry - offset_base is dir_offset+2+i*12 */ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { @@ -2925,18 +2925,18 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha case TAG_COMP_IMAGE_WIDTH: ImageInfo->Thumbnail.width = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_IMAGEHEIGHT: case TAG_COMP_IMAGE_HEIGHT: ImageInfo->Thumbnail.height = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_STRIP_OFFSETS: case TAG_JPEG_INTERCHANGE_FORMAT: /* accept both formats */ ImageInfo->Thumbnail.offset = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_STRIP_BYTE_COUNTS: if (ImageInfo->FileType == IMAGE_FILETYPE_TIFF_II || ImageInfo->FileType == IMAGE_FILETYPE_TIFF_MM) { ImageInfo->Thumbnail.filetype = ImageInfo->FileType; @@ -2946,7 +2946,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha } ImageInfo->Thumbnail.size = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_JPEG_INTERCHANGE_FORMAT_LEN: if (ImageInfo->Thumbnail.filetype == IMAGE_FILETYPE_UNKNOWN) { ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_JPEG; @@ -2973,7 +2973,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha ImageInfo->Copyright = estrdup(value_ptr); } } - break; + break; case TAG_USERCOMMENT: ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count TSRMLS_CC); @@ -3061,10 +3061,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha break; case TAG_MAKE: - ImageInfo->make = estrdup(value_ptr); + ImageInfo->make = estrndup(value_ptr, byte_count); break; case TAG_MODEL: - ImageInfo->model = estrdup(value_ptr); + ImageInfo->model = estrndup(value_ptr, byte_count); break; case TAG_MAKER_NOTE: @@ -3414,7 +3414,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC) if ((itemlen - 2) < 6) { return FALSE; } - + exif_process_SOFn(Data, marker, &sof_info); ImageInfo->Width = sof_info.width; ImageInfo->Height = sof_info.height; @@ -3459,21 +3459,21 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC) } for (;;) { pos += length; - if (pos>=ImageInfo->Thumbnail.size) + if (pos>=ImageInfo->Thumbnail.size) return FALSE; c = data[pos++]; - if (pos>=ImageInfo->Thumbnail.size) + if (pos>=ImageInfo->Thumbnail.size) return FALSE; if (c != 0xFF) { return FALSE; } n = 8; while ((c = data[pos++]) == 0xFF && n--) { - if (pos+3>=ImageInfo->Thumbnail.size) + if (pos+3>=ImageInfo->Thumbnail.size) return FALSE; /* +3 = pos++ of next check when reaching marker + 2 bytes for length */ } - if (c == 0xFF) + if (c == 0xFF) return FALSE; marker = c; length = php_jpg_get16(data+pos); @@ -3787,7 +3787,7 @@ static int exif_scan_FILE_header(image_info_type *ImageInfo TSRMLS_DC) exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "File has TIFF/II format"); #endif ImageInfo->sections_found |= FOUND_IFD0; - if (exif_process_IFD_in_TIFF(ImageInfo, + if (exif_process_IFD_in_TIFF(ImageInfo, php_ifd_get32u(file_header + 4, ImageInfo->motorola_intel), SECTION_IFD0 TSRMLS_CC)) { ret = TRUE; @@ -3967,7 +3967,7 @@ PHP_FUNCTION(exif_read_data) sections_str = exif_get_sectionlist(ImageInfo.sections_found TSRMLS_CC); #ifdef EXIF_DEBUG - if (sections_str) + if (sections_str) exif_error_docref(NULL EXIFERR_CC, &ImageInfo, E_NOTICE, "Sections found: %s", sections_str[0] ? sections_str : "None"); #endif -- cgit v1.2.1