Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE

Also fix for bug #77659

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index ea88a8f115e8a366f5f7419a01b1acf58260d420..fe89b854711879274555bdc762ea6e7fa518fa59 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2741,7 +2741,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
                break;
        }
 
-       if (maker_note->offset >= value_len) {
+       if (value_len < 2 || maker_note->offset >= value_len - 1) {
                /* Do not go past the value end */
                exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
                return FALSE;
@@ -2794,6 +2794,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
                        break;
                default:
                case MN_OFFSET_NORMAL:
+                       data_len = value_len;
                        break;
        }
 

diff --git a/ext/exif/tests/bug77563.jpg b/ext/exif/tests/bug77563.jpg
new file mode 100644 (file)
index 0000000..d628015
Binary files /dev/null and b/ext/exif/tests/bug77563.jpg differ

diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt
new file mode 100644 (file)
index 0000000..c145886
--- /dev/null
+++ b/ext/exif/tests/bug77563.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$s = exif_thumbnail(__DIR__."/bug77563.jpg");
+?>
+DONE
+--EXPECTF--
+Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d
+
+Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d
+
+Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d
+DONE
\ No newline at end of file