]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6297a11)
Fix bug #71459 - Integer overflow in iptcembed()
authorStanislav Malyshev <stas@php.net>
Wed, 27 Jan 2016 01:26:52 +0000 (17:26 -0800)
committerStanislav Malyshev <stas@php.net>
Wed, 27 Jan 2016 01:26:52 +0000 (17:26 -0800)
ext/standard/iptc.c patch | blob | history

diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index 05d778b41b85b5d48aa0f9499c9f971d40b8cdc9..6f8aa5dc3e3bc177a1831472d4ff1f666ae0d9a9 100644 (file)
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -195,6 +195,11 @@ PHP_FUNCTION(iptcembed)
                RETURN_FALSE;
        }
 
+       if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large");
+               RETURN_FALSE;
+       }
+
        if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file);
                RETURN_FALSE;
@@ -203,7 +208,7 @@ PHP_FUNCTION(iptcembed)
        if (spool < 2) {
                fstat(fileno(fp), &sb);
 
-               poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1);
+               poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size);
                memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1);
        } 
 
Unnamed repository; edit this file 'description' to name the repository.