Merge branch 'PHP-7.4'

* PHP-7.4: Fix #77919: Potential UAF in Phar RSHUTDOWN Update NEWS Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment) Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
2025-08-16 05:58:45 +02:00 · 2019-07-29 13:20:59 -07:00 · 2019-07-29 13:20:59 -07:00 · e043025fda
commit e043025fda
parent cab6b34224 4adf3dc109
7 changed files with 32 additions and 5 deletions
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@ -2970,11 +2970,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
 			 * since we have no encoding support for the BOM yet we skip that.
 			 */
-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
 				decode = "UCS-2BE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
 				decode = "UCS-2LE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
@ -3847,7 +3847,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
 	size_t          length=2, pos=0;
 	jpeg_sof_info   sof_info;

-	if (!data) {
+	if (!data || ImageInfo->Thumbnail.size < 4) {
 		return FALSE; /* nothing to do here */
 	}
 	if (memcmp(data, "\xFF\xD8\xFF", 3)) {
--- a/ext/exif/tests/bug78222.jpg
+++ b/ext/exif/tests/bug78222.jpg
--- a/ext/exif/tests/bug78222.phpt
+++ b/ext/exif/tests/bug78222.phpt
@ -0,0 +1,11 @@
+--TEST--
+Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
--- a/ext/exif/tests/bug78256.jpg
+++ b/ext/exif/tests/bug78256.jpg
--- a/ext/exif/tests/bug78256.phpt
+++ b/ext/exif/tests/bug78256.phpt
@ -0,0 +1,11 @@
+--TEST--
+Bug #78256 (heap-buffer-overflow on exif_process_user_comment)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@ -2005,7 +2005,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
 	char *newname = NULL, *newpath = NULL;
 	zval ret, arg1;
 	zend_class_entry *ce;
-	char *error;
+	char *error = NULL;
 	const char *pcr_error;
 	size_t ext_len = ext ? strlen(ext) : 0;
 	size_t new_len, oldname_len, phar_ext_len;
@ -2215,6 +2215,8 @@ its_ok:
 	phar_flush(phar, 0, 0, 1, &error);

 	if (error) {
+		zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
+		*sphar = NULL;
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error);
 		efree(error);
 		efree(oldpath);
--- a/ext/phar/tests/bug71488.phpt
+++ b/ext/phar/tests/bug71488.phpt
@ -15,4 +15,7 @@ DONE
 ?>
 --EXPECTF--
 Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
-Stack trace:%A
+Stack trace:
+#0 %s(%d): PharData->decompress('test')
+#1 {main}
+  thrown in %s on line %d