]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5e824a8)
Fix bug #77540 - Invalid Read on exif_process_SOFn
authorStanislav Malyshev <stas@php.net>
Sat, 2 Mar 2019 21:38:00 +0000 (13:38 -0800)
committerStanislav Malyshev <stas@php.net>
Mon, 4 Mar 2019 02:35:26 +0000 (18:35 -0800)
ext/exif/exif.c patch | blob | history
ext/exif/tests/bug77540.jpg [new file with mode: 0644] patch | blob
ext/exif/tests/bug77540.phpt [new file with mode: 0644] patch | blob

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index b4563927a5058e93ad55074fe367e4bac0ef987e..ea88a8f115e8a366f5f7419a01b1acf58260d420 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3509,7 +3509,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
                        return FALSE;
                marker = c;
                length = php_jpg_get16(data+pos);
-               if (pos+length>=ImageInfo->Thumbnail.size) {
+               if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
                        return FALSE;
                }
 #ifdef EXIF_DEBUG
@@ -3530,6 +3530,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
                        case M_SOF14:
                        case M_SOF15:
                                /* handle SOFn block */
+                               if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) {
+                                       /* exif_process_SOFn needs 8 bytes */
+                                       return FALSE;
+                               }
                                exif_process_SOFn(data+pos, marker, &sof_info);
                                ImageInfo->Thumbnail.height   = sof_info.height;
                                ImageInfo->Thumbnail.width    = sof_info.width;
@@ -4177,7 +4181,9 @@ PHP_FUNCTION(exif_thumbnail)
        ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
        if (arg_c >= 3) {
                if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
-                       exif_scan_thumbnail(&ImageInfo);
+                       if (!exif_scan_thumbnail(&ImageInfo)) {
+                               ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0;
+                       }
                }
                zval_dtor(p_width);
                zval_dtor(p_height);
diff --git a/ext/exif/tests/bug77540.jpg b/ext/exif/tests/bug77540.jpg
new file mode 100644 (file)
index 0000000..559022d
Binary files /dev/null and b/ext/exif/tests/bug77540.jpg differ
diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt
new file mode 100644 (file)
index 0000000..a284e1f
--- /dev/null
+++ b/ext/exif/tests/bug77540.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77540 (Invalid Read on exif_process_SOFn)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$width = $height = 42;
+$s = exif_thumbnail(__DIR__."/bug77540.jpg", $width, $height);
+echo "Width ".$width."\n";
+echo "Height ".$height."\n";
+?>
+DONE
+--EXPECTF--
+Width 0
+Height 0
+DONE
\ No newline at end of file
Unnamed repository; edit this file 'description' to name the repository.