--- rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch 2011/11/03 22:49:53 1.1 +++ rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch 2011/11/03 22:49:53 1.1.2.1 @@ -0,0 +1,66 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=680972 + + http://svn.php.net/viewvc?view=revision&revision=308316 + http://svn.php.net/viewvc?view=revision&revision=308317 + http://svn.php.net/viewvc?view=revision&revision=308362 + +--- php-5.3.3/ext/exif/exif.c.cve0708 ++++ php-5.3.3/ext/exif/exif.c +@@ -40,6 +40,16 @@ + #include "php.h" + #include "ext/standard/file.h" + ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_INTTYPES_H ++# include ++#endif ++#ifdef PHP_WIN32 ++# include "win32/php_stdint.h" ++#endif ++ + #if HAVE_EXIF + + /* When EXIF_DEBUG is defined the module generates a lot of debug messages +@@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in + int tag, format, components; + char *value_ptr, tagname[64], cbuf[32], *outside=NULL; + size_t byte_count, offset_val, fpos, fgot; ++ int64_t byte_count_signed; + xp_field_type *tmp_xp; + #ifdef EXIF_DEBUG + char *dump_data; +@@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in + /*return TRUE;*/ + } + +- byte_count = components * php_tiff_bytes_per_format[format]; ++ if (components < 0) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); ++ return FALSE; ++ } ++ ++ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + +- if ((ssize_t)byte_count < 0) { +- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); ++ if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); + return FALSE; + } + ++ byte_count = (size_t)byte_count_signed; ++ + if (byte_count > 4) { + offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); + /* If its bigger than 4 bytes, the dir entry contains an offset. */ +@@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in + efree(dump_data); + } + #endif ++ + if (section_index==SECTION_THUMBNAIL) { + if (!ImageInfo->Thumbnail.data) { + switch(tag) {