archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix bug #76423 - Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c

Browse source
This commit is contained in:
Stanislav Malyshev 2018-06-19 16:26:36 -07:00
parent fe3d53f443
commit 1baeae4270
3 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ext/exif/exif.c
View file

@ -2545,7 +2545,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz
return; return;
} }
/* Check to make sure we are not going to go past the ExifLength */ /* Check to make sure we are not going to go past the ExifLength */
if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) { if (ImageInfo->Thumbnail.size > length
|| (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length
|| ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size
) {
EXIF_ERRLOG_THUMBEOF(ImageInfo) EXIF_ERRLOG_THUMBEOF(ImageInfo)
return; return;
} }

BIN
ext/exif/tests/bug76423.jpg Normal file
View file

Binary file not shown.

19
ext/exif/tests/bug76423.phpt Normal file
View file

@ -0,0 +1,19 @@
--TEST--
Bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c)
--SKIPIF--
<?php
if (!extension_loaded('exif')) die('skip exif extension not available');
?>
--FILE--
<?php
exif_read_data(__DIR__ . '/bug76423.jpg', 0, true, true);
?>
===DONE===
--EXPECTF--
Warning: exif_read_data(%s.jpg): Thumbnail goes IFD boundary or end of file reached in %s on line %d
Warning: exif_read_data(%s.jpg): File structure corrupted in %s on line %d
Warning: exif_read_data(%s.jpg): Invalid JPEG file in %s on line %d
===DONE===