From 082aecfc3a753ad03be82cf14f03ac065723ec92 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 24 Apr 2016 19:33:52 -0700 Subject: [PATCH] Fix bug #72094 - Out of bounds heap read access in exif header processing --- ext/exif/exif.c | 17 ++++++++-- ext/exif/tests/bug72094.phpt | 61 ++++++++++++++++++++++++++++++++++ ext/exif/tests/bug72094_1.jpg | Bin 0 -> 140 bytes ext/exif/tests/bug72094_2.jpg | Bin 0 -> 140 bytes ext/exif/tests/bug72094_3.jpg | Bin 0 -> 112 bytes ext/exif/tests/bug72094_4.jpg | Bin 0 -> 32 bytes 6 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 ext/exif/tests/bug72094.phpt create mode 100644 ext/exif/tests/bug72094_1.jpg create mode 100644 ext/exif/tests/bug72094_2.jpg create mode 100644 ext/exif/tests/bug72094_3.jpg create mode 100644 ext/exif/tests/bug72094_4.jpg diff --git a/ext/exif/exif.c b/ext/exif/exif.c index ff29fdd0fa..f366acc552 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2965,7 +2965,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha /* When there are any characters after the first NUL */ ImageInfo->CopyrightPhotographer = estrdup(value_ptr); ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); - spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); + spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ @@ -3134,6 +3134,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, ImageInfo->sections_found |= FOUND_IFD0; + if ((dir_start + 2) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { @@ -3157,6 +3162,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, * Hack to make it process IDF1 I hope * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail */ + if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); if (NextDirOffset) { /* the next line seems false but here IFDlength means length of all IFDs */ @@ -3206,9 +3215,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, } /* Check the next two values for correctness. */ + if (length < 8) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); - if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } diff --git a/ext/exif/tests/bug72094.phpt b/ext/exif/tests/bug72094.phpt new file mode 100644 index 0000000000..17674d0d9a --- /dev/null +++ b/ext/exif/tests/bug72094.phpt @@ -0,0 +1,61 @@ +--TEST-- +Bug #72094: Out of bounds heap read access in exif header processing +--SKIPIF-- + +--FILE-- + +DONE +--EXPECTF-- +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright ): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Invalid JPEG file in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_2.jpg): Illegal IFD size in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_2.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_2.jpg): Invalid JPEG file in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Invalid JPEG file in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_4.jpg): Invalid TIFF start (1) in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_4.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_4.jpg): Invalid JPEG file in %s/bug72094.php on line %d +DONE \ No newline at end of file diff --git a/ext/exif/tests/bug72094_1.jpg b/ext/exif/tests/bug72094_1.jpg new file mode 100644 index 0000000000000000000000000000000000000000..d21382b44b0762b1b94bf39a7ca5375f8d0cb379 GIT binary patch literal 140 zcmex=!+=4+00lf`sBo>wOk-g1^<~gvU|`^2U<1hmS&T4sc-SoHYMN$%^>PCBq`~CS IX$G(W0O%VRPyhe` literal 0 HcmV?d00001 diff --git a/ext/exif/tests/bug72094_2.jpg b/ext/exif/tests/bug72094_2.jpg new file mode 100644 index 0000000000000000000000000000000000000000..ec414ce02b17d151a473097ca5db8f0a89ffd8a5 GIT binary patch literal 140 kcmex=!+=4+00lf`sBo>wOk-g1^<~gvU|=Xfk)