From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Mar 2019 05:54:46 +0000 (-0700)
Subject: Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a1631ac57b853edd81431e57c266ec813e180acd;p=php

Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
---

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index ae2b9a2012..60c6fda821 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3187,6 +3187,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
 		return FALSE;
 	}
+	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
+		return FALSE;
+	}
 
 	for (de=0;de<NumDirEntries;de++) {
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
diff --git a/ext/exif/tests/bug77753.phpt b/ext/exif/tests/bug77753.phpt
new file mode 100644
index 0000000000..d987a5cf46
--- /dev/null
+++ b/ext/exif/tests/bug77753.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #77753 (Heap-buffer-overflow in php_ifd_get32s)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(exif_read_data(__DIR__."/bug77753.tiff"));
+?>
+DONE
+--EXPECTF--
+%A
+Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d
+
+Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d
+bool(false)
+DONE
\ No newline at end of file
diff --git a/ext/exif/tests/bug77753.tiff b/ext/exif/tests/bug77753.tiff
new file mode 100644
index 0000000000..b237f39e2b
Binary files /dev/null and b/ext/exif/tests/bug77753.tiff differ