Fix bug #67250 (iptcparse out-of-bounds read)

author Stanislav Malyshev <stas@php.net>

Mon, 12 May 2014 02:09:19 +0000 (19:09 -0700)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:02:52 +0000 (16:02 -0700)
author Stanislav Malyshev <stas@php.net>
Mon, 12 May 2014 02:09:19 +0000 (19:09 -0700)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:02:52 +0000 (16:02 -0700)
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c

index 420111e731e1bcf31ef6a745c7ee4e270c78ce9f..e3190d563333651729803bf74ea5f43da8723b12 100644 (file)
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -335,6 +335,9 @@ PHP_FUNCTION(iptcparse)
                 recnum = buffer[ inx++ ];
  
                 if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */
+            if((inx+6) >= str_len) {
+                break;
+            }
                         len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + 
                                   (((long) buffer[ inx + 4 ]) <<  8) + (((long) buffer[ inx + 5 ]));
                         inx += 6;
diff --git a/ext/standard/tests/image/bug67250.phpt b/ext/standard/tests/image/bug67250.phpt

new file mode 100644 (file)

index 0000000..607de9f
--- /dev/null
+++ b/ext/standard/tests/image/bug67250.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #67250 (iptcparse out-of-bounds read)
+--FILE--
+<?php
+var_dump(iptcparse("\x1C\x02_\x80___"));
+?>
+--EXPECT--
+bool(false)
author	Stanislav Malyshev <stas@php.net>
	Mon, 12 May 2014 02:09:19 +0000 (19:09 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:02:52 +0000 (16:02 -0700)
ext/standard/iptc.c		patch \| blob \| history
ext/standard/tests/image/bug67250.phpt	[new file with mode: 0644]	patch \| blob