/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-4566.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2011-4566.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1.2.1 - (hide annotations) (download)
Fri Feb 3 15:48:14 2012 UTC (12 years, 10 months ago) by slords
Branch: redhat-upstream
CVS Tags: php-5_3_3-13_el5_9_1, php-5_3_3-1_el5_7_6, php-5_3_3-13_el6
Changes since 1.1: +34 -0 lines
Upstream import

1 slords 1.1.2.1 From 774d031d3e860ccb63acb3defdeb91e8f3fdf515 Mon Sep 17 00:00:00 2001
2     From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
3     Date: Tue, 3 Jan 2012 02:36:51 +0100
4     Subject: [PATCH] Fix integer overflow during the parsing of invalid exif
5     header
6    
7     Based on:
8     http://svn.php.net/viewvc/?view=revision&revision=319535
9     http://svn.php.net/viewvc/?view=revision&revision=319534
10     ---
11     ext/exif/exif.c | 4 ++--
12     1 files changed, 2 insertions(+), 2 deletions(-)
13    
14     diff --git a/ext/exif/exif.c b/ext/exif/exif.c
15     index 85fa1b9..ecfb402 100644
16     --- a/ext/exif/exif.c
17     +++ b/ext/exif/exif.c
18     @@ -2856,11 +2856,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
19     offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
20     /* If its bigger than 4 bytes, the dir entry contains an offset. */
21     value_ptr = offset_base+offset_val;
22     - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
23     + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
24     /* It is important to check for IMAGE_FILETYPE_TIFF
25     * JPEG does not use absolute pointers instead its pointers are
26     * relative to the start of the TIFF header in APP1 section. */
27     - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
28     + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
29     if (value_ptr < dir_entry) {
30     /* we can read this if offset_val > 0 */
31     /* some files have their values in other parts of the file */
32     --
33     1.7.6.2
34    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed