From 1baeae42703f9b2ec21fff787146eeca08d45535 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 19 Jun 2018 16:26:36 -0700 Subject: [PATCH] Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c --- ext/exif/exif.c | 5 ++++- ext/exif/tests/bug76423.jpg | Bin 0 -> 1537 bytes ext/exif/tests/bug76423.phpt | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 ext/exif/tests/bug76423.jpg create mode 100644 ext/exif/tests/bug76423.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index e535278fc96..1147980f773 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2545,7 +2545,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz return; } /* Check to make sure we are not going to go past the ExifLength */ - if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) { + if (ImageInfo->Thumbnail.size > length + || (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length + || ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size + ) { EXIF_ERRLOG_THUMBEOF(ImageInfo) return; } diff --git a/ext/exif/tests/bug76423.jpg b/ext/exif/tests/bug76423.jpg new file mode 100644 index 0000000000000000000000000000000000000000..08fe2bbc5789c39a011865e6d1f9c3cde1f7ee9b GIT binary patch literal 1537 zcmex=;~_JHYei-n1B0(GgBAk=!v_W?MnMJ^AdB(;e+EWIaR{4%0muVlbWlEI0nmpG U3>;u`lo$ +--FILE-- + +===DONE=== +--EXPECTF-- + +Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d + +Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d + +Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d +===DONE===