archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix leak of temporary buffer during exif tag reading

Browse source
This commit is contained in:
Nikita Popov 2019-09-22 12:10:17 +02:00
parent 0701835c01
commit f989a4cd44
3 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ext/exif/exif.c
View file

@ -3588,9 +3588,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
Subdir_start = offset_base + php_ifd_get32u(value_ptr, ImageInfo->motorola_intel); Subdir_start = offset_base + php_ifd_get32u(value_ptr, ImageInfo->motorola_intel);
if (Subdir_start < offset_base || Subdir_start > offset_base+IFDlength) { if (Subdir_start < offset_base || Subdir_start > offset_base+IFDlength) {
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD Pointer"); exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD Pointer");
EFREE_IF(outside);
return FALSE; return FALSE;
} }
if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) { if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) {
EFREE_IF(outside);
return FALSE; return FALSE;
} }
#ifdef EXIF_DEBUG #ifdef EXIF_DEBUG

BIN
ext/exif/tests/temporary_buffer_leak.jpg Normal file
View file

Binary file not shown.

10
ext/exif/tests/temporary_buffer_leak.phpt Normal file
View file

@ -0,0 +1,10 @@
--TEST--
OSS-Fuzz: Temporary buffer leak in tag reading
--FILE--
<?php
var_dump(@exif_read_data(__DIR__ . '/temporary_buffer_leak.jpg'));
?>
--EXPECT--
bool(false)