You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

44 lines
1.4 KiB

From 54c210d2ea9b8539edcde1888b1104b96b38e886 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 26 Jan 2016 17:26:52 -0800
Subject: [PATCH] Fix bug #71459 - Integer overflow in iptcembed()
[roberto@debian.org: backported to 5.4.45]
Bug: https://bugs.php.net/bug.php?id=71459
Origin: backport, http://git.php.net/?p=php-src.git;a=commitdiff;h=54c210d2ea9b8539edcde1888b1104b96b38e886
---
ext/standard/iptc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- php5.git.orig/ext/standard/iptc.c
+++ php5.git/ext/standard/iptc.c
@@ -37,6 +37,7 @@
#include "ext/standard/head.h"
#include <sys/stat.h>
+#include <stdint.h>
/* some defines for the different JPEG block types */
@@ -195,6 +196,11 @@
RETURN_FALSE;
}
+ if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large");
+ RETURN_FALSE;
+ }
+
if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file);
RETURN_FALSE;
@@ -203,7 +209,7 @@
if (spool < 2) {
fstat(fileno(fp), &sb);
- poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1);
+ poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size);
memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1);
}