Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 605b37923f888d320a87947a58f19fd2122475e8..cd7975a9f558229e15405b2ca61fd13b7e1ced37 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3498,7 +3498,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
        size_t          length=2, pos=0;
        jpeg_sof_info   sof_info;
 
-       if (!data) {
+       if (!data || ImageInfo->Thumbnail.size < 4) {
                return FALSE; /* nothing to do here */
        }
        if (memcmp(data, "\xFF\xD8\xFF", 3)) {

diff --git a/ext/exif/tests/bug78222.jpg b/ext/exif/tests/bug78222.jpg
new file mode 100644 (file)
index 0000000..a96e16b
Binary files /dev/null and b/ext/exif/tests/bug78222.jpg differ

diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt
new file mode 100644 (file)
index 0000000..0e4ead3
--- /dev/null
+++ b/ext/exif/tests/bug78222.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
\ No newline at end of file