/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch
ViewVC logotype

Diff of /rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.1 by slords, Thu Nov 3 22:49:53 2011 UTC Revision 1.1.2.1 by slords, Thu Nov 3 22:49:53 2011 UTC
# Line 0  Line 1 
1    
2    https://bugzilla.redhat.com/show_bug.cgi?id=680972
3    
4      http://svn.php.net/viewvc?view=revision&revision=308316
5      http://svn.php.net/viewvc?view=revision&revision=308317
6      http://svn.php.net/viewvc?view=revision&revision=308362
7    
8    --- php-5.3.3/ext/exif/exif.c.cve0708
9    +++ php-5.3.3/ext/exif/exif.c
10    @@ -40,6 +40,16 @@
11     #include "php.h"
12     #include "ext/standard/file.h"
13    
14    +#ifdef HAVE_STDINT_H
15    +# include <stdint.h>
16    +#endif
17    +#ifdef HAVE_INTTYPES_H
18    +# include <inttypes.h>
19    +#endif
20    +#ifdef PHP_WIN32
21    +# include "win32/php_stdint.h"
22    +#endif
23    +
24     #if HAVE_EXIF
25    
26     /* When EXIF_DEBUG is defined the module generates a lot of debug messages
27    @@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
28            int tag, format, components;
29            char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
30            size_t byte_count, offset_val, fpos, fgot;
31    +       int64_t byte_count_signed;
32            xp_field_type *tmp_xp;
33     #ifdef EXIF_DEBUG
34            char *dump_data;
35    @@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
36                    /*return TRUE;*/
37            }
38    
39    -       byte_count = components * php_tiff_bytes_per_format[format];
40    +       if (components < 0) {
41    +               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
42    +               return FALSE;
43    +       }
44    +
45    +       byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
46    
47    -       if ((ssize_t)byte_count < 0) {
48    -               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
49    +       if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
50    +               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
51                    return FALSE;
52            }
53    
54    +       byte_count = (size_t)byte_count_signed;
55    +
56            if (byte_count > 4) {
57                    offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
58                    /* If its bigger than 4 bytes, the dir entry contains an offset. */
59    @@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
60                    efree(dump_data);
61            }
62     #endif
63    +
64            if (section_index==SECTION_THUMBNAIL) {
65                    if (!ImageInfo->Thumbnail.data) {
66                            switch(tag) {

Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed