Fix bug #65873 - Integer overflow in exif_read_data()

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 4f67bdd04626b4be0d2a29523daab34fb923e488..862e92b5fb155ba7cf3585ec813362dd0d0bd558 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2874,7 +2874,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
                /* If its bigger than 4 bytes, the dir entry contains an offset. */
                value_ptr = offset_base+offset_val;
-               if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+        /* 
+            dir_entry is ImageInfo->file.list[sn].data+2+i*12
+            offset_base is ImageInfo->file.list[sn].data-dir_offset 
+            dir_entry - offset_base is dir_offset+2+i*12
+        */
+               if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
                        /* It is important to check for IMAGE_FILETYPE_TIFF
                         * JPEG does not use absolute pointers instead its pointers are
                         * relative to the start of the TIFF header in APP1 section. */