/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2011-0708.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (hide annotations) (download)
Thu Nov 3 22:54:19 2011 UTC (13 years ago) by slords
Branch: MAIN
CVS Tags: php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, php-5_3_3-14_el5_sme, php-5_3_3-1_el5_sme_6, php-5_3_3-13_el5_sme_1, php-5_3_3-1_el5_sme_3, php-5_3_3-13_el5_sme_2, php-5_3_3-17_el5_sme, php-5_3_3-13_el5_sme, HEAD
Changes since 1.1: +66 -0 lines 
* Thu Nov 2 2011 Shad L. Lords <slords@mail.com> - 5.3.3-1.3.sme
- Obsolete php-domxml and php-dom [SME: 6733]
- Update Obsoletes and Conflicts [SME: 6436]
1 slords 1.2
2     https://bugzilla.redhat.com/show_bug.cgi?id=680972
3    
4     http://svn.php.net/viewvc?view=revision&revision=308316
5     http://svn.php.net/viewvc?view=revision&revision=308317
6     http://svn.php.net/viewvc?view=revision&revision=308362
7    
8     --- php-5.3.3/ext/exif/exif.c.cve0708
9     +++ php-5.3.3/ext/exif/exif.c
10     @@ -40,6 +40,16 @@
11     #include "php.h"
12     #include "ext/standard/file.h"
13    
14     +#ifdef HAVE_STDINT_H
15     +# include <stdint.h>
16     +#endif
17     +#ifdef HAVE_INTTYPES_H
18     +# include <inttypes.h>
19     +#endif
20     +#ifdef PHP_WIN32
21     +# include "win32/php_stdint.h"
22     +#endif
23     +
24     #if HAVE_EXIF
25    
26     /* When EXIF_DEBUG is defined the module generates a lot of debug messages
27     @@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
28     int tag, format, components;
29     char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
30     size_t byte_count, offset_val, fpos, fgot;
31     + int64_t byte_count_signed;
32     xp_field_type *tmp_xp;
33     #ifdef EXIF_DEBUG
34     char *dump_data;
35     @@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
36     /*return TRUE;*/
37     }
38    
39     - byte_count = components * php_tiff_bytes_per_format[format];
40     + if (components < 0) {
41     + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
42     + return FALSE;
43     + }
44     +
45     + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
46    
47     - if ((ssize_t)byte_count < 0) {
48     - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
49     + if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
50     + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
51     return FALSE;
52     }
53    
54     + byte_count = (size_t)byte_count_signed;
55     +
56     if (byte_count > 4) {
57     offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
58     /* If its bigger than 4 bytes, the dir entry contains an offset. */
59     @@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
60     efree(dump_data);
61     }
62     #endif
63     +
64     if (section_index==SECTION_THUMBNAIL) {
65     if (!ImageInfo->Thumbnail.data) {
66     switch(tag) {
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed