/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (show annotations) (download)
Thu Nov 3 22:54:19 2011 UTC (12 years, 6 months ago) by slords
Branch: MAIN
CVS Tags: php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, php-5_3_3-14_el5_sme, php-5_3_3-1_el5_sme_6, php-5_3_3-13_el5_sme_1, php-5_3_3-1_el5_sme_3, php-5_3_3-13_el5_sme_2, php-5_3_3-17_el5_sme, php-5_3_3-13_el5_sme, HEAD
Changes since 1.1: +66 -0 lines 
* Thu Nov 2 2011 Shad L. Lords <slords@mail.com> - 5.3.3-1.3.sme
- Obsolete php-domxml and php-dom [SME: 6733]
- Update Obsoletes and Conflicts [SME: 6436]
1
2 https://bugzilla.redhat.com/show_bug.cgi?id=680972
3
4 http://svn.php.net/viewvc?view=revision&revision=308316
5 http://svn.php.net/viewvc?view=revision&revision=308317
6 http://svn.php.net/viewvc?view=revision&revision=308362
7
8 --- php-5.3.3/ext/exif/exif.c.cve0708
9 +++ php-5.3.3/ext/exif/exif.c
10 @@ -40,6 +40,16 @@
11 #include "php.h"
12 #include "ext/standard/file.h"
13
14 +#ifdef HAVE_STDINT_H
15 +# include <stdint.h>
16 +#endif
17 +#ifdef HAVE_INTTYPES_H
18 +# include <inttypes.h>
19 +#endif
20 +#ifdef PHP_WIN32
21 +# include "win32/php_stdint.h"
22 +#endif
23 +
24 #if HAVE_EXIF
25
26 /* When EXIF_DEBUG is defined the module generates a lot of debug messages
27 @@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
28 int tag, format, components;
29 char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
30 size_t byte_count, offset_val, fpos, fgot;
31 + int64_t byte_count_signed;
32 xp_field_type *tmp_xp;
33 #ifdef EXIF_DEBUG
34 char *dump_data;
35 @@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
36 /*return TRUE;*/
37 }
38
39 - byte_count = components * php_tiff_bytes_per_format[format];
40 + if (components < 0) {
41 + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
42 + return FALSE;
43 + }
44 +
45 + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
46
47 - if ((ssize_t)byte_count < 0) {
48 - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
49 + if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
50 + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
51 return FALSE;
52 }
53
54 + byte_count = (size_t)byte_count_signed;
55 +
56 if (byte_count > 4) {
57 offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
58 /* If its bigger than 4 bytes, the dir entry contains an offset. */
59 @@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
60 efree(dump_data);
61 }
62 #endif
63 +
64 if (section_index==SECTION_THUMBNAIL) {
65 if (!ImageInfo->Thumbnail.data) {
66 switch(tag) {
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed