Fix bug #65873 - Integer overflow in exif_read_data()

diff --git a/NEWS b/NEWS
index 91b2182f3cdc55369c8dfe579045d6129c1a5be3..d3bd822885572966b5124624e4e56bfce23e0bfb 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,9 @@ PHP                                                                        NEWS
   . Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() 
     Produces invalid Markup). (Mike)
 
+- Exif:
+  . Fixed bug #65873 (Integer overflow in exif_read_data()). (Stas)
+
 - Filter:
   . Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam)
 

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 2fe54f7b31c3ce957fccc3d47f0ca493c80db145..c531d8dfa896c4a202b630d7d48da27df3d3c0b7 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2852,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
                /* If its bigger than 4 bytes, the dir entry contains an offset. */
                value_ptr = offset_base+offset_val;
-               if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+        /* 
+            dir_entry is ImageInfo->file.list[sn].data+2+i*12
+            offset_base is ImageInfo->file.list[sn].data-dir_offset 
+            dir_entry - offset_base is dir_offset+2+i*12
+        */
+               if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
                        /* It is important to check for IMAGE_FILETYPE_TIFF
                         * JPEG does not use absolute pointers instead its pointers are
                         * relative to the start of the TIFF header in APP1 section. */