You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

64 lines
2.6 KiB

From eebcbd5de38a0f1c2876035402cb770e37476519 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 17 Jul 2016 16:34:21 -0700
Subject: [PATCH] Fix bug #72603: Out of bound read in
exif_process_IFD_in_MAKERNOTE
Index: php5-5.4.45/ext/exif/exif.c
===================================================================
--- php5-5.4.45.orig/ext/exif/exif.c 2016-08-19 15:28:28.000000000 +0200
+++ php5-5.4.45/ext/exif/exif.c 2016-08-19 15:28:28.000000000 +0200
@@ -2747,6 +2747,12 @@
break;
}
+ if (maker_note->offset >= value_len) {
+ /* Do not go past the value end */
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
+ return FALSE;
+ }
+
dir_start = value_ptr + maker_note->offset;
#ifdef EXIF_DEBUG
@@ -2775,10 +2781,19 @@
offset_base = value_ptr;
break;
case MN_OFFSET_GUESS:
+ if (maker_note->offset + 10 + 4 >= value_len) {
+ /* Can not read dir_start+10 since it's beyond value end */
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X", value_len);
+ return FALSE;
+ }
offset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);
#ifdef EXIF_DEBUG
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Using automatic offset correction: 0x%04X", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);
#endif
+ if (offset_diff < 0 || offset_diff >= value_len ) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data bad offset: 0x%04X length 0x%04X", offset_diff, value_len);
+ return FALSE;
+ }
offset_base = value_ptr + offset_diff;
break;
default:
@@ -2787,7 +2802,7 @@
}
if ((2+NumDirEntries*12) > value_len) {
- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
return FALSE;
}
@@ -3073,7 +3088,10 @@
break;
case TAG_MAKER_NOTE:
- exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC);
+ if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC)) {
+ EFREE_IF(outside);
+ return FALSE;
+ }
break;
case TAG_EXIF_IFD_POINTER: