diff options
Diffstat (limited to 'ext/exif')
| -rw-r--r-- | ext/exif/exif.c | 10 | ||||
| -rw-r--r-- | ext/exif/php_exif.h | 4 | ||||
| -rw-r--r-- | ext/exif/tests/bug60150.jpg | bin | 0 -> 121856 bytes | |||
| -rwxr-xr-x | ext/exif/tests/bug60150.phpt | 21 |
4 files changed, 28 insertions, 7 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index e2cf9f78c..f767b25ea 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2011 The PHP Group | + | Copyright (c) 1997-2012 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: exif.c 314376 2011-08-06 14:47:44Z felipe $ */ +/* $Id: exif.c 321634 2012-01-01 13:15:04Z felipe $ */ /* ToDos * @@ -148,7 +148,7 @@ const zend_function_entry exif_functions[] = { }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: exif.c 314376 2011-08-06 14:47:44Z felipe $" +#define EXIF_VERSION "1.4 $Id: exif.c 321634 2012-01-01 13:15:04Z felipe $" /* {{{ PHP_MINFO_FUNCTION */ @@ -2874,11 +2874,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ diff --git a/ext/exif/php_exif.h b/ext/exif/php_exif.h index ab351bd79..58f934a51 100644 --- a/ext/exif/php_exif.h +++ b/ext/exif/php_exif.h @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2011 The PHP Group | + | Copyright (c) 1997-2012 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: php_exif.h 306939 2011-01-01 02:19:59Z felipe $ */ +/* $Id: php_exif.h 321634 2012-01-01 13:15:04Z felipe $ */ #if HAVE_EXIF extern zend_module_entry exif_module_entry; diff --git a/ext/exif/tests/bug60150.jpg b/ext/exif/tests/bug60150.jpg Binary files differnew file mode 100644 index 000000000..2d7d1659c --- /dev/null +++ b/ext/exif/tests/bug60150.jpg diff --git a/ext/exif/tests/bug60150.phpt b/ext/exif/tests/bug60150.phpt new file mode 100755 index 000000000..63cf0a9da --- /dev/null +++ b/ext/exif/tests/bug60150.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #60150 (Integer overflow during the parsing of invalid exif header) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--INI-- +output_handler= +zlib.output_compression=0 +--FILE-- +<?php +$infile = dirname(__FILE__).'/bug60150.jpg'; +var_dump(exif_read_data($infile)); +?> +===DONE=== +--EXPECTF-- +Warning: exif_read_data(bug60150.jpg): Process tag(x9003=DateTimeOri): Illegal pointer offset(x%x + x%x = x%x > x%x) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Error reading from file: got=x%x(=%d) != itemlen-%d=x%x(=%d) in %s on line %d + +Warning: exif_read_data(bug60150.jpg): Invalid JPEG file in %s on line %d +bool(false) +===DONE=== |
