From f3aefc6d071b807ddacae0a0bc49f09c38e18490 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 17 Mar 2019 22:54:46 -0700 Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s --- ext/exif/exif.c | 4 ++++ ext/exif/tests/bug77753.phpt | 16 ++++++++++++++++ ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes 3 files changed, 20 insertions(+) create mode 100644 ext/exif/tests/bug77753.phpt create mode 100644 ext/exif/tests/bug77753.tiff diff --git a/ext/exif/exif.c b/ext/exif/exif.c index fe89b85471..0b5bb5ae21 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2802,6 +2802,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len); return FALSE; } + if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len); + return FALSE; + } for (de=0;de +--FILE-- + +DONE +--EXPECTF-- +%A +Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d + +Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d +bool(false) +DONE \ No newline at end of file diff --git a/ext/exif/tests/bug77753.tiff b/ext/exif/tests/bug77753.tiff new file mode 100644 index 0000000000000000000000000000000000000000..b237f39e2b30f67b8ddab06f9766308aaa4eb05c GIT binary patch literal 873 zcmebD)MDUZU|>*SPyhiii-Cck5yIXC;)4KG9L{E9V5pg-ppXg_XJLk_0ZUR!{3mFD zzfYuZKxnXne?W+*v!joKv%j8>PlyWxL5)LF!G9nak`Bk|=)vb5aEfA3P~ZS!AV5#+ KAU>ty3JL%Yp>9h6 literal 0 HcmV?d00001 -- 2.49.0