Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php5
>
php-5.2.17
> php-5.2.14-CVE-2011-0708.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-5.2.14-CVE-2011-0708.patch of Package php-5.2.17
Index: ext/exif/exif.c =================================================================== --- ext/exif/exif.c.orig +++ ext/exif/exif.c @@ -40,6 +40,10 @@ #include "php.h" #include "ext/standard/file.h" +#ifdef PHP_WIN32 +#include "win32/php_stdint.h" +#endif + #if HAVE_EXIF /* When EXIF_DEBUG is defined the module generates a lot of debug messages @@ -2821,6 +2825,7 @@ static int exif_process_IFD_TAG(image_in int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; xp_field_type *tmp_xp; #ifdef EXIF_DEBUG char *dump_data; @@ -2845,13 +2850,20 @@ static int exif_process_IFD_TAG(image_in /*return TRUE;*/ } - byte_count = components * php_tiff_bytes_per_format[format]; + if (components < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); + return FALSE; + } - if ((ssize_t)byte_count < 0) { - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); return FALSE; } + byte_count = (size_t)byte_count_signed; + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2916,6 +2928,7 @@ static int exif_process_IFD_TAG(image_in efree(dump_data); } #endif + if (section_index==SECTION_THUMBNAIL) { if (!ImageInfo->Thumbnail.data) { switch(tag) {