- exif:

Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF Fix #77540 Invalid Read on exif_process_SOFn Fix #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE Fix #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE
author: Remi Collet <remi@remirepo.net> 2019-03-04 14:58:46 +0100
committer: Remi Collet <remi@remirepo.net> 2019-03-04 14:58:46 +0100
commit: 85516dbd23e25135236ffb441d61dcdefd96eeaf (patch)
tree: c158b6006ac5992ba17941906b810fc956e8a6cc
parent: 7d43050e34c6781a796b3d069920f0e85d1d9c16 (diff)
3 files changed, 170 insertions, 12 deletions
diff --git a/php-bug77540.patch b/php-bug77540.patch
new file mode 100644
index 0000000..228c59d
--- /dev/null
+++ b/php-bug77540.patch
@@ -0,0 +1,103 @@
+Backported for 5.6 from 7.1 by remi
+without binary diff
+
+
+
+From 5e824a88d073d282c4f358f186cb87ddc284f83d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Fri, 1 Mar 2019 23:25:45 -0800
+Subject: [PATCH] Fix integer overflows on 32-bits
+
+---
+ ext/exif/exif.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index cbde3effedf9..b4563927a505 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3577,10 +3577,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 	tag_table_type tag_table = exif_get_tag_table(section_index);
+ 
+ 	if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+-                return FALSE;
+-        }
++		return FALSE;
++	}
+ 
+-	if (ImageInfo->FileSize >= dir_offset+2) {
++	if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) {
+ 		sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL);
+ #ifdef EXIF_DEBUG
+ 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2);
+@@ -3588,8 +3588,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 		php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */
+ 		php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2);
+ 		num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel);
+-		dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/;
+-		if (ImageInfo->FileSize >= dir_offset+dir_size) {
++		dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/;
++		if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) {
+ #ifdef EXIF_DEBUG
+ 			exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries);
+ #endif
+@@ -3672,9 +3672,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 					}
+ 				}
+ 			}
+-			if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) {
++			if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) {
+ 				if (ifd_size > dir_size) {
+-					if (dir_offset + ifd_size > ImageInfo->FileSize) {
++					if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) {
+ 						exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size);
+ 						return FALSE;
+ 					}
+From 5f0e62a3e5b525163e538aaab0161c2c8c5d057b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 2 Mar 2019 13:38:00 -0800
+Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn
+
+---
+ ext/exif/exif.c              |  10 ++++++++--
+ ext/exif/tests/bug77540.jpg  | Bin 0 -> 91 bytes
+ ext/exif/tests/bug77540.phpt |  16 ++++++++++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug77540.jpg
+ create mode 100644 ext/exif/tests/bug77540.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index b4563927a505..ea88a8f115e8 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3519,7 +3519,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ 			return FALSE;
+ 		marker = c;
+ 		length = php_jpg_get16(data+pos);
+-		if (pos+length>=ImageInfo->Thumbnail.size) {
++		if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
+ 			return FALSE;
+ 		}
+ #ifdef EXIF_DEBUG
+@@ -3540,6 +3540,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ 			case M_SOF14:
+ 			case M_SOF15:
+ 				/* handle SOFn block */
++				if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) {
++					/* exif_process_SOFn needs 8 bytes */
++					return FALSE;
++				}
+ 				exif_process_SOFn(data+pos, marker, &sof_info);
+ 				ImageInfo->Thumbnail.height   = sof_info.height;
+ 				ImageInfo->Thumbnail.width    = sof_info.width;
+@@ -4183,7 +4187,9 @@ PHP_FUNCTION(exif_thumbnail)
+ 	ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size, 1);
+ 	if (arg_c >= 3) {
+ 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+-			exif_scan_thumbnail(&ImageInfo TSRMLS_CC);
++			if (!exif_scan_thumbnail(&ImageInfo TSRMLS_CC)) {
++				ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0;
++			}
+ 		}
+ 		zval_dtor(p_width);
+ 		zval_dtor(p_height);
diff --git a/php-bug77563.patch b/php-bug77563.patch
new file mode 100644
index 0000000..33b196d
--- /dev/null
+++ b/php-bug77563.patch
@@ -0,0 +1,42 @@
+Backported for 5.6 from 7.1 by remi
+without binary diff
+
+
+
+From 8ac6fee8562533a15db90062117210ed28b44fea Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 2 Mar 2019 15:07:40 -0800
+Subject: [PATCH] Fix bug #77563 - Uninitialized read in
+ exif_process_IFD_in_MAKERNOTE
+
+Also fix for bug #77659
+---
+ ext/exif/exif.c              |   3 ++-
+ ext/exif/tests/bug77563.jpg  | Bin 0 -> 63 bytes
+ ext/exif/tests/bug77563.phpt |  16 ++++++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug77563.jpg
+ create mode 100644 ext/exif/tests/bug77563.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index ea88a8f115e8..fe89b8547118 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2751,7 +2751,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 		break;
+ 	}
+ 
+-	if (maker_note->offset >= value_len) {
++	if (value_len < 2 || maker_note->offset >= value_len - 1) {
+ 		/* Do not go past the value end */
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
+ 		return FALSE;
+@@ -2804,6 +2804,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 			break;
+ 		default:
+ 		case MN_OFFSET_NORMAL:
++			data_len = value_len;
+ 			break;
+ 	}
+ 
+
diff --git a/php56.spec b/php56.spec
index a7f67f9..e4c1a87 100644
--- a/php56.spec
+++ b/php56.spec
@@ -142,7 +142,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.40
-Release: 1%{?dist}
+Release: 3%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -203,6 +203,8 @@ Patch91: php-5.6.3-oci8conf.patch
 Patch100: php-5.6.31-oci.patch
 
 # Security fixes (200+)
+Patch210: php-bug77540.patch
+Patch211: php-bug77563.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -962,6 +964,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
 %patch100 -p1 -b .pdo_oci
 
 # security patches
+%patch210 -p1 -b .bug77540
+%patch211 -p1 -b .bug77563
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1730,17 +1734,6 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/php/modules/*.a \
 rm -f README.{Zeus,QNX,CVS-RULES}
 
 
-%pre common
-echo -e "\nWARNING : These %{name}-* RPMs are not official Fedora / Red Hat build and"
-echo -e "overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.\n"
-echo -e "Use dedicated forum at http://forum.remirepo.net/\n"
-
-%if %{?fedora}%{!?fedora:99} < 28
-echo -e "WARNING : Fedora %{fedora} is now EOL :"
-echo -e "You should consider upgrading to a supported release.\n"
-%endif
-
-
 %if ! %{with_httpd2410}
 %pre fpm
 # Add the "apache" user as we don't require httpd
@@ -1820,6 +1813,19 @@ fi
 %postun embedded -p /sbin/ldconfig
 
 
+%posttrans common
+cat << EOF
+=====================================================================
+
+ WARNING : PHP 5.6 have reached its "End of Life" in January 2019.
+ Even, if this package includes some of the important security fix,
+ backported from 7.1,
+ The UPGRADE to a maintained version is very strongly RECOMMENDED.
+
+=====================================================================
+EOF
+
+
 %{!?_licensedir:%global license %%doc}
 
 %files
@@ -1990,6 +1996,13 @@ fi
 
 
 %changelog
+* Mon Mar  4 2019 Remi Collet <remi@remirepo.net> - 5.6.40-3
+- exif:
+  Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF
+  Fix #77540 Invalid Read on exif_process_SOFn
+  Fix #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE
+  Fix #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE
+
 * Wed Jan  9 2019 Remi Collet <remi@remirepo.net> - 5.6.40-1
 - Update to 5.6.40 - http://www.php.net/releases/5_6_40.php
author	Remi Collet <remi@remirepo.net>	2019-03-04 14:58:46 +0100
committer	Remi Collet <remi@remirepo.net>	2019-03-04 14:58:46 +0100
commit	85516dbd23e25135236ffb441d61dcdefd96eeaf (patch)
tree	c158b6006ac5992ba17941906b810fc956e8a6cc
parent	7d43050e34c6781a796b3d069920f0e85d1d9c16 (diff)