From: Felipe Pena Date: Sun, 3 Jun 2012 18:23:07 +0000 (-0300) Subject: - Fixed information leak in ext exif (discovered by Martin Noga, Matthew "j00ru"... X-Git-Tag: php-5.3.15RC1~60^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e59b6dc0ae803d49c3f620818285f98dfb61fd57;p=php - Fixed information leak in ext exif (discovered by Martin Noga, Matthew "j00ru" Jurczyk, Gynvael Coldwind) --- diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 9468c2380b..604010b039 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3278,7 +3278,7 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t if ((l1 = php_strnlen(buffer+2, length-2)) > 0) { exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC); if (length > 2+l1+1) { - l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1); + l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1); exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC); } } @@ -3428,6 +3428,10 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC) case M_SOF13: case M_SOF14: case M_SOF15: + if ((itemlen - 2) < 6) { + return FALSE; + } + exif_process_SOFn(Data, marker, &sof_info); ImageInfo->Width = sof_info.width; ImageInfo->Height = sof_info.height;