From 42bb2c9221ab019a8d42a11644eceaf7b05d39d9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 27 Apr 2016 09:04:26 +0200 Subject: php 5.4 add security patches, backported from 5.5.35 --- bug72094.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 bug72094.patch (limited to 'bug72094.patch') diff --git a/bug72094.patch b/bug72094.patch new file mode 100644 index 0000000..2fa4df7 --- /dev/null +++ b/bug72094.patch @@ -0,0 +1,75 @@ +Backported for 5.4 from 5.5.35 by Remi Collet +Binary diff removed + +From 082aecfc3a753ad03be82cf14f03ac065723ec92 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 19:33:52 -0700 +Subject: [PATCH] Fix bug #72094 - Out of bounds heap read access in exif + header processing + +--- + ext/exif/exif.c | 17 ++++++++++-- + ext/exif/tests/bug72094.phpt | 61 ++++++++++++++++++++++++++++++++++++++++++ + ext/exif/tests/bug72094_1.jpg | Bin 0 -> 140 bytes + ext/exif/tests/bug72094_2.jpg | Bin 0 -> 140 bytes + ext/exif/tests/bug72094_3.jpg | Bin 0 -> 112 bytes + ext/exif/tests/bug72094_4.jpg | Bin 0 -> 32 bytes + 6 files changed, 76 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug72094.phpt + create mode 100644 ext/exif/tests/bug72094_1.jpg + create mode 100644 ext/exif/tests/bug72094_2.jpg + create mode 100644 ext/exif/tests/bug72094_3.jpg + create mode 100644 ext/exif/tests/bug72094_4.jpg + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index ff29fdd..f366acc 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2965,7 +2965,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha + /* When there are any characters after the first NUL */ + ImageInfo->CopyrightPhotographer = estrdup(value_ptr); + ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); +- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); ++ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); + /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ + /* but we are not supposed to change this */ + /* keep in mind that image_info does not store editor value */ +@@ -3134,6 +3134,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, + + ImageInfo->sections_found |= FOUND_IFD0; + ++ if ((dir_start + 2) >= (offset_base+IFDlength)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); ++ return FALSE; ++ } ++ + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); + + if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { +@@ -3157,6 +3162,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ ++ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); ++ return FALSE; ++ } + NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); + if (NextDirOffset) { + /* the next line seems false but here IFDlength means length of all IFDs */ +@@ -3206,9 +3215,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, + } + + /* Check the next two values for correctness. */ ++ if (length < 8) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); ++ return; ++ } + exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); + offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); +- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { ++ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } + -- cgit