diff options
| author | Remi Collet <fedora@famillecollet.com> | 2016-02-16 22:54:26 +0100 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2016-02-16 22:54:26 +0100 |
| commit | 1ed943ec556f4bfa49a2700b30c9bb58a91379eb (patch) | |
| tree | f1e7c3c5b9d1fa3e4fe78a0c80cde04a1e0333c5 /bug71459.patch | |
| parent | 08069d1e5b43644dc9cac9bd4d645304320cc0d0 (diff) | |
php 5.4.45-4 (security fix backported from 5.5.32)
Diffstat (limited to 'bug71459.patch')
| -rw-r--r-- | bug71459.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/bug71459.patch b/bug71459.patch new file mode 100644 index 0000000..a028f56 --- /dev/null +++ b/bug71459.patch @@ -0,0 +1,65 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 54c210d2ea9b8539edcde1888b1104b96b38e886 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 26 Jan 2016 17:26:52 -0800 +Subject: [PATCH] Fix bug #71459 - Integer overflow in iptcembed() + +--- + ext/standard/iptc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c +index 05d778b..6f8aa5d 100644 +--- a/ext/standard/iptc.c ++++ b/ext/standard/iptc.c +@@ -195,6 +195,11 @@ PHP_FUNCTION(iptcembed) + RETURN_FALSE; + } + ++ if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large"); ++ RETURN_FALSE; ++ } ++ + if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file); + RETURN_FALSE; +@@ -203,7 +208,7 @@ PHP_FUNCTION(iptcembed) + if (spool < 2) { + fstat(fileno(fp), &sb); + +- poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1); ++ poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size); + memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1); + } + +From 686a17893a56a500a3a6a4fd721e8ca29412f6dc Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Thu, 28 Jan 2016 13:46:34 +0100 +Subject: [PATCH] add missing headers for SIZE_MAX + +--- + ext/standard/iptc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c +index 6f8aa5d..41a924b 100644 +--- a/ext/standard/iptc.c ++++ b/ext/standard/iptc.c +@@ -38,6 +38,15 @@ + + #include <sys/stat.h> + ++#ifdef PHP_WIN32 ++# include "win32/php_stdint.h" ++#else ++# if HAVE_INTTYPES_H ++# include <inttypes.h> ++# elif HAVE_STDINT_H ++# include <stdint.h> ++# endif ++#endif + + /* some defines for the different JPEG block types */ + #define M_SOF0 0xC0 /* Start Of Frame N */ |