You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

45 lines
1.5 KiB

From 1cda0d7c2ffb62d8331c64e703131d9cabdc03ea Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 31 Dec 2016 19:31:49 -0800
Subject: [PATCH] CVE-2016-10158
Fix bug #73737 FPE when parsing a tag format
[roberto@debian.org: backported to 5.4.45]
Bug: https://bugs.php.net/bug.php?id=73737
Origin: backport, http://git.php.net/?p=php-src.git;a=commitdiff;h=1cda0d7c2ffb62d8331c64e703131d9cabdc03ea
---
ext/exif/exif.c | 2 +-
ext/exif/tests/bug73737.phpt | 12 ++++++++++++
ext/exif/tests/bug73737.tiff | Bin 0 -> 48 bytes
3 files changed, 13 insertions(+), 1 deletion(-)
create mode 100644 ext/exif/tests/bug73737.phpt
create mode 100644 ext/exif/tests/bug73737.tiff
--- php5.git.orig/ext/exif/exif.c
+++ php5.git/ext/exif/exif.c
@@ -1313,7 +1313,7 @@
if (s_den == 0) {
return 0;
} else {
- return php_ifd_get32s(value, motorola_intel) / s_den;
+ return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den);
}
case TAG_FMT_SSHORT: return php_ifd_get16u(value, motorola_intel);
--- /dev/null
+++ php5.git/ext/exif/tests/bug73737.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #73737 (Crash when parsing a tag format)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+ $exif = exif_thumbnail(__DIR__ . '/bug73737.tiff');
+ var_dump($exif);
+?>
+--EXPECTF--
+Warning: exif_thumbnail(bug73737.tiff): Error in TIFF: filesize(x0030) less than start of IFD dir(x10102) in %s line %d
+bool(false)