php/sme8/php-5.3.3-CVE-2011-0708.patch


https://bugzilla.redhat.com/show_bug.cgi?id=680972

  http://svn.php.net/viewvc?view=revision&revision=308316
  http://svn.php.net/viewvc?view=revision&revision=308317
  http://svn.php.net/viewvc?view=revision&revision=308362

--- php-5.3.3/ext/exif/exif.c.cve0708
+++ php-5.3.3/ext/exif/exif.c
@@ -40,6 +40,16 @@
 #include "php.h"
 #include "ext/standard/file.h"
 
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef PHP_WIN32
+# include "win32/php_stdint.h"
+#endif
+
 #if HAVE_EXIF
 
 /* When EXIF_DEBUG is defined the module generates a lot of debug messages
@@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
        int tag, format, components;
        char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
        size_t byte_count, offset_val, fpos, fgot;
+       int64_t byte_count_signed;
        xp_field_type *tmp_xp;
 #ifdef EXIF_DEBUG
        char *dump_data;
@@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
                /*return TRUE;*/
        }
 
-       byte_count = components * php_tiff_bytes_per_format[format];
+       if (components < 0) {
+               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
+               return FALSE;
+       }
+
+       byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
 
-       if ((ssize_t)byte_count < 0) {
-               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+       if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
+               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
                return FALSE;
        }
 
+       byte_count = (size_t)byte_count_signed;
+
        if (byte_count > 4) {
                offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
                /* If its bigger than 4 bytes, the dir entry contains an offset. */
@@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
                efree(dump_data);
        }
 #endif
+
        if (section_index==SECTION_THUMBNAIL) {
                if (!ImageInfo->Thumbnail.data) {
                        switch(tag) {
1	slords	1.1.2.1
2			https://bugzilla.redhat.com/show_bug.cgi?id=680972
3
4			http://svn.php.net/viewvc?view=revision&revision=308316
5			http://svn.php.net/viewvc?view=revision&revision=308317
6			http://svn.php.net/viewvc?view=revision&revision=308362
7
8			--- php-5.3.3/ext/exif/exif.c.cve0708
9			+++ php-5.3.3/ext/exif/exif.c
10			@@ -40,6 +40,16 @@
11			#include "php.h"
12			#include "ext/standard/file.h"
13
14			+#ifdef HAVE_STDINT_H
15			+# include <stdint.h>
16			+#endif
17			+#ifdef HAVE_INTTYPES_H
18			+# include <inttypes.h>
19			+#endif
20			+#ifdef PHP_WIN32
21			+# include "win32/php_stdint.h"
22			+#endif
23			+
24			#if HAVE_EXIF
25
26			/* When EXIF_DEBUG is defined the module generates a lot of debug messages
27			@@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
28			int tag, format, components;
29			char value_ptr, tagname[64], cbuf[32], outside=NULL;
30			size_t byte_count, offset_val, fpos, fgot;
31			+ int64_t byte_count_signed;
32			xp_field_type *tmp_xp;
33			#ifdef EXIF_DEBUG
34			char *dump_data;
35			@@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
36			/return TRUE;/
37			}
38
39			- byte_count = components * php_tiff_bytes_per_format[format];
40			+ if (components < 0) {
41			+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
42			+ return FALSE;
43			+ }
44			+
45			+ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
46
47			- if ((ssize_t)byte_count < 0) {
48			- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
49			+ if (byte_count_signed < 0 \|\| (byte_count_signed > INT32_MAX)) {
50			+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
51			return FALSE;
52			}
53
54			+ byte_count = (size_t)byte_count_signed;
55			+
56			if (byte_count > 4) {
57			offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
58			/* If its bigger than 4 bytes, the dir entry contains an offset. */
59			@@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
60			efree(dump_data);
61			}
62			#endif
63			+
64			if (section_index==SECTION_THUMBNAIL) {
65			if (!ImageInfo->Thumbnail.data) {
66			switch(tag) {