Backported from 5.5 for 5.4 by Remi Collet From 54c210d2ea9b8539edcde1888b1104b96b38e886 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 26 Jan 2016 17:26:52 -0800 Subject: [PATCH] Fix bug #71459 - Integer overflow in iptcembed() --- ext/standard/iptc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 05d778b..6f8aa5d 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -195,6 +195,11 @@ PHP_FUNCTION(iptcembed) RETURN_FALSE; } + if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large"); + RETURN_FALSE; + } + if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file); RETURN_FALSE; @@ -203,7 +208,7 @@ PHP_FUNCTION(iptcembed) if (spool < 2) { fstat(fileno(fp), &sb); - poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1); + poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size); memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1); } From 686a17893a56a500a3a6a4fd721e8ca29412f6dc Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 28 Jan 2016 13:46:34 +0100 Subject: [PATCH] add missing headers for SIZE_MAX --- ext/standard/iptc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 6f8aa5d..41a924b 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -38,6 +38,15 @@ #include +#ifdef PHP_WIN32 +# include "win32/php_stdint.h" +#else +# if HAVE_INTTYPES_H +# include +# elif HAVE_STDINT_H +# include +# endif +#endif /* some defines for the different JPEG block types */ #define M_SOF0 0xC0 /* Start Of Frame N */