]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 167e2fd)
- Fixed information leak in ext exif (discovered by Martin Noga, Matthew "j00ru"...
authorFelipe Pena <felipensp@gmail.com>
Sun, 3 Jun 2012 18:23:07 +0000 (15:23 -0300)
committerFelipe Pena <felipensp@gmail.com>
Sun, 3 Jun 2012 18:23:07 +0000 (15:23 -0300)
ext/exif/exif.c patch | blob | history

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 9468c2380b20bd908c8e27d86a4c6e502d4f1c87..604010b0390d275155ba828ecd93c9e42fa5dc54 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3278,7 +3278,7 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
        if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
                exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
                if (length > 2+l1+1) {
-                       l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1);
+                       l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
                        exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
                }
        }
@@ -3428,6 +3428,10 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC)
                        case M_SOF13:
                        case M_SOF14:
                        case M_SOF15:
+                               if ((itemlen - 2) < 6) {
+                                       return FALSE;
+                               }
+               
                                exif_process_SOFn(Data, marker, &sof_info);
                                ImageInfo->Width  = sof_info.width;
                                ImageInfo->Height = sof_info.height;
Unnamed repository; edit this file 'description' to name the repository.