1 |
slords |
1.2 |
From 774d031d3e860ccb63acb3defdeb91e8f3fdf515 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com> |
3 |
|
|
Date: Tue, 3 Jan 2012 02:36:51 +0100 |
4 |
|
|
Subject: [PATCH] Fix integer overflow during the parsing of invalid exif |
5 |
|
|
header |
6 |
|
|
|
7 |
|
|
Based on: |
8 |
|
|
http://svn.php.net/viewvc/?view=revision&revision=319535 |
9 |
|
|
http://svn.php.net/viewvc/?view=revision&revision=319534 |
10 |
|
|
--- |
11 |
|
|
ext/exif/exif.c | 4 ++-- |
12 |
|
|
1 files changed, 2 insertions(+), 2 deletions(-) |
13 |
|
|
|
14 |
|
|
diff --git a/ext/exif/exif.c b/ext/exif/exif.c |
15 |
|
|
index 85fa1b9..ecfb402 100644 |
16 |
|
|
--- a/ext/exif/exif.c |
17 |
|
|
+++ b/ext/exif/exif.c |
18 |
|
|
@@ -2856,11 +2856,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha |
19 |
|
|
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); |
20 |
|
|
/* If its bigger than 4 bytes, the dir entry contains an offset. */ |
21 |
|
|
value_ptr = offset_base+offset_val; |
22 |
|
|
- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { |
23 |
|
|
+ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { |
24 |
|
|
/* It is important to check for IMAGE_FILETYPE_TIFF |
25 |
|
|
* JPEG does not use absolute pointers instead its pointers are |
26 |
|
|
* relative to the start of the TIFF header in APP1 section. */ |
27 |
|
|
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { |
28 |
|
|
+ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { |
29 |
|
|
if (value_ptr < dir_entry) { |
30 |
|
|
/* we can read this if offset_val > 0 */ |
31 |
|
|
/* some files have their values in other parts of the file */ |
32 |
|
|
-- |
33 |
|
|
1.7.6.2 |
34 |
|
|
|