diff options
-rw-r--r-- | bug72735.patch | 84 | ||||
-rw-r--r-- | php54.spec | 7 |
2 files changed, 90 insertions, 1 deletions
diff --git a/bug72735.patch b/bug72735.patch new file mode 100644 index 0000000..eaa7e78 --- /dev/null +++ b/bug72735.patch @@ -0,0 +1,84 @@ +From d5796fb298abb2a3e389818ad924589fa35e58b9 Mon Sep 17 00:00:00 2001 +From: Kalle Sommer Nielsen <kalle@php.net> +Date: Wed, 3 Aug 2016 17:05:31 +0200 +Subject: [PATCH] Changed the way MAKERNOTE is handled in case we do not have a + matching signature (Remi). + +Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE. + +The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature. + +This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further. + +(cherry picked from commit aabcb5481d9e717df77192dab2894468b9fc63b4) +--- + ext/exif/exif.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 5564de4..94652e9 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1718,6 +1718,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + if (!length) + break; + case TAG_FMT_UNDEFINED: ++ if (tag == TAG_MAKER_NOTE) { ++ length = MIN(length, strlen(value)); ++ } ++ + if (value) { + /* do not recompute length here */ + info_value->s = estrndup(value, length); +@@ -2733,8 +2737,14 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + char *dir_start; + + for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) { +- if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) +- return FALSE; ++ if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) { ++#ifdef EXIF_DEBUG ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "No maker note data found. Detected maker: %s (length = %d)", ImageInfo->make, strlen(ImageInfo->make)); ++#endif ++ /* unknown manufacturer, not an error, use it as a string */ ++ return TRUE; ++ } ++ + maker_note = maker_note_array+i; + + /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s,%s)", maker_note->make?maker_note->make:"", maker_note->model?maker_note->model:"");*/ +-- +2.1.4 + +From 9667ee4f72c7dafce993b71104a52beb7c3aff15 Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Wed, 3 Aug 2016 18:26:29 +0200 +Subject: [PATCH] improve the check, avoid strlen on NULL + +--- + ext/exif/exif.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 94652e9..f95de3a 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1718,11 +1718,11 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + if (!length) + break; + case TAG_FMT_UNDEFINED: +- if (tag == TAG_MAKER_NOTE) { +- length = MIN(length, strlen(value)); +- } +- + if (value) { ++ if (tag == TAG_MAKER_NOTE) { ++ length = MIN(length, strlen(value)); ++ } ++ + /* do not recompute length here */ + info_value->s = estrndup(value, length); + info_data->length = length; +-- +2.1.4 + @@ -98,7 +98,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.45 -Release: 11%{?dist} +Release: 11%{?dist}.1 # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -213,6 +213,7 @@ Patch252: bug72606.patch Patch253: bug72613.patch Patch254: bug72618.patch Patch255: bug72519.patch +Patch256: bug72735.patch # Fixes for tests # no_NO issue @@ -976,6 +977,7 @@ rm -f ext/json/utf8_to_utf16.* %patch253 -p1 -b .bug72613 %patch254 -p1 -b .bug72618 %patch255 -p1 -b .bug72519 +%patch256 -p1 -b .bug72735 # Fixes for tests %patch301 -p1 -b .datetests2 @@ -1865,6 +1867,9 @@ fi %changelog +* Fri Aug 5 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11.1 +- fix #72735 regression in exif maker note parser + * Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11 - Fix #70480: php_url_parse_ex() buffer overflow read CVE-2016-6288 |