Added missing sanity checks around exif processing

author Ilia Alshanetsky <iliaa@php.net>

Sun, 16 Aug 2009 14:31:27 +0000 (14:31 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Sun, 16 Aug 2009 14:31:27 +0000 (14:31 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Sun, 16 Aug 2009 14:31:27 +0000 (14:31 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Sun, 16 Aug 2009 14:31:27 +0000 (14:31 +0000)
diff --git a/NEWS b/NEWS

index 56305d673f3d4664ffd41ae7bfb68fd775c9535a..6aa13422a8dcfe3c58574ae2b743c9034617185c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 2009, PHP 5.2.11
+- Added missing sanity checks around exif processing (Ilia)
  
  13 Aug 2009, PHP 5.2.11RC1
  - Fixed regression in cURL extension that prevented flush of data to output
diff --git a/ext/exif/exif.c b/ext/exif/exif.c

index a0c7c674ee9768b195df2ea3a06044d95b49b0fb..0e89a6b5830cd5e82082629943bf7797bddef269 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3243,7 +3243,7 @@ static void exif_process_APP1(image_info_type *ImageInfo, char *CharBuf, size_t
  {
         /* Check the APP1 for Exif Identifier Code */
         static const uchar ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
-       if (memcmp(CharBuf+2, ExifHeader, 6)) {
+       if (length <= 8 || memcmp(CharBuf+2, ExifHeader, 6)) {
                 exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Incorrect APP1 Exif Identifier Code");
                 return;
         }
@@ -3326,8 +3326,14 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC)
                 }
  
                 /* Read the length of the section. */
-               lh = php_stream_getc(ImageInfo->infile);
-               ll = php_stream_getc(ImageInfo->infile);
+               if ((lh = php_stream_getc(ImageInfo->infile)) == EOF) {
+                       EXIF_ERRLOG_CORRUPT(ImageInfo)
+                       return FALSE;
+               }
+               if ((ll = php_stream_getc(ImageInfo->infile)) == EOF) {
+                       EXIF_ERRLOG_CORRUPT(ImageInfo)
+                       return FALSE;
+               }
  
                 itemlen = (lh << 8) | ll;
  
@@ -3527,6 +3533,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
         int entry_tag , entry_type;
         tag_table_type tag_table = exif_get_tag_table(section_index);
  
+       if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+                return FALSE;
+        }
+
         if (ImageInfo->FileSize >= dir_offset+2) {
                 sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL);
  #ifdef EXIF_DEBUG
@@ -3670,6 +3680,7 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
  #ifdef EXIF_DEBUG
                                                 exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s @x%04X", exif_get_sectionname(sub_section_index), entry_offset);
  #endif
+                                               ImageInfo->ifd_nesting_level++;
                                                 exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC);
                                                 if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) {
                                                         if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN
@@ -3709,6 +3720,7 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
  #ifdef EXIF_DEBUG
                                         exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) at x%04X", next_offset);
  #endif
+                                       ImageInfo->ifd_nesting_level++;
                                         exif_process_IFD_in_TIFF(ImageInfo, next_offset, SECTION_THUMBNAIL TSRMLS_CC);
  #ifdef EXIF_DEBUG
                                         exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size);
@@ -3781,9 +3793,7 @@ static int exif_scan_FILE_header(image_info_type *ImageInfo TSRMLS_DC)
                                 } else {
                                         exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF file");
                                 }
-                       }
-                       else
-                       if (!memcmp(file_header, "MM\x00\x2a", 4)) {
+                       } else if (!memcmp(file_header, "MM\x00\x2a", 4)) {
                                 ImageInfo->FileType = IMAGE_FILETYPE_TIFF_MM;
                                 ImageInfo->motorola_intel = 1;
  #ifdef EXIF_DEBUG
author	Ilia Alshanetsky <iliaa@php.net>
	Sun, 16 Aug 2009 14:31:27 +0000 (14:31 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Sun, 16 Aug 2009 14:31:27 +0000 (14:31 +0000)
NEWS		patch \| blob \| history
ext/exif/exif.c		patch \| blob \| history