--- rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch	2011/11/03 22:49:53	1.1
+++ rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch	2011/11/03 22:49:53	1.1.2.1
@@ -0,0 +1,66 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=680972
+
+  http://svn.php.net/viewvc?view=revision&revision=308316
+  http://svn.php.net/viewvc?view=revision&revision=308317
+  http://svn.php.net/viewvc?view=revision&revision=308362
+
+--- php-5.3.3/ext/exif/exif.c.cve0708
++++ php-5.3.3/ext/exif/exif.c
+@@ -40,6 +40,16 @@
+ #include "php.h"
+ #include "ext/standard/file.h"
+ 
++#ifdef HAVE_STDINT_H
++# include <stdint.h>
++#endif
++#ifdef HAVE_INTTYPES_H
++# include <inttypes.h>
++#endif
++#ifdef PHP_WIN32
++# include "win32/php_stdint.h"
++#endif
++
+ #if HAVE_EXIF
+ 
+ /* When EXIF_DEBUG is defined the module generates a lot of debug messages
+@@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
+ 	int tag, format, components;
+ 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ 	size_t byte_count, offset_val, fpos, fgot;
++	int64_t byte_count_signed;
+ 	xp_field_type *tmp_xp;
+ #ifdef EXIF_DEBUG
+ 	char *dump_data;
+@@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
+ 		/*return TRUE;*/
+ 	}
+ 
+-	byte_count = components * php_tiff_bytes_per_format[format];
++	if (components < 0) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
++		return FALSE;
++	}
++
++	byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
+ 
+-	if ((ssize_t)byte_count < 0) {
+-		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
++	if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
+ 		return FALSE;
+ 	}
+ 
++	byte_count = (size_t)byte_count_signed;
++
+ 	if (byte_count > 4) {
+ 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
+@@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
+ 		efree(dump_data);
+ 	}
+ #endif
++
+ 	if (section_index==SECTION_THUMBNAIL) {
+ 		if (!ImageInfo->Thumbnail.data) {
+ 			switch(tag) {