Fix bug #71459 - Integer overflow in iptcembed()

diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index a3547067f6c7fc36e9a60682967fe699ef2bf6c1..b10d84415f305efaf9fa9b4e2c748bfd7e06121a 100644 (file)
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -196,6 +196,11 @@ PHP_FUNCTION(iptcembed)
                RETURN_FALSE;
        }
 
+       if (iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large");
+               RETURN_FALSE;
+       }
+
        if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) {
                php_error_docref(NULL, E_WARNING, "Unable to open %s", jpeg_file);
                RETURN_FALSE;
@@ -204,7 +209,7 @@ PHP_FUNCTION(iptcembed)
        if (spool < 2) {
                zend_fstat(fileno(fp), &sb);
 
-               spoolbuf = zend_string_alloc(iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 0);
+               spoolbuf = zend_string_safe_alloc(1, iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size, 0);
                poi = (unsigned char*)ZSTR_VAL(spoolbuf);
                memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1);
        }