/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-4566.patch
ViewVC logotype

Diff of /rpms/php/sme8/php-5.3.3-CVE-2011-4566.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.1 by slords, Fri Feb 3 15:48:14 2012 UTC Revision 1.1.2.1 by slords, Fri Feb 3 15:48:14 2012 UTC
# Line 0  Line 1 
1    From 774d031d3e860ccb63acb3defdeb91e8f3fdf515 Mon Sep 17 00:00:00 2001
2    From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
3    Date: Tue, 3 Jan 2012 02:36:51 +0100
4    Subject: [PATCH] Fix integer overflow during the parsing of invalid exif
5     header
6    
7    Based on:
8    http://svn.php.net/viewvc/?view=revision&revision=319535
9    http://svn.php.net/viewvc/?view=revision&revision=319534
10    ---
11     ext/exif/exif.c |    4 ++--
12     1 files changed, 2 insertions(+), 2 deletions(-)
13    
14    diff --git a/ext/exif/exif.c b/ext/exif/exif.c
15    index 85fa1b9..ecfb402 100644
16    --- a/ext/exif/exif.c
17    +++ b/ext/exif/exif.c
18    @@ -2856,11 +2856,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
19                    offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
20                    /* If its bigger than 4 bytes, the dir entry contains an offset. */
21                    value_ptr = offset_base+offset_val;
22    -               if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
23    +               if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
24                            /* It is important to check for IMAGE_FILETYPE_TIFF
25                             * JPEG does not use absolute pointers instead its pointers are
26                             * relative to the start of the TIFF header in APP1 section. */
27    -                       if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
28    +                       if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
29                                    if (value_ptr < dir_entry) {
30                                            /* we can read this if offset_val > 0 */
31                                            /* some files have their values in other parts of the file */
32    --
33    1.7.6.2
34    


Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed