From 85516dbd23e25135236ffb441d61dcdefd96eeaf Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 4 Mar 2019 14:58:46 +0100 Subject: - exif: Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF Fix #77540 Invalid Read on exif_process_SOFn Fix #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE Fix #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE --- php-bug77540.patch | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug77563.patch | 42 ++++++++++++++++++++++ php56.spec | 37 ++++++++++++------- 3 files changed, 170 insertions(+), 12 deletions(-) create mode 100644 php-bug77540.patch create mode 100644 php-bug77563.patch diff --git a/php-bug77540.patch b/php-bug77540.patch new file mode 100644 index 0000000..228c59d --- /dev/null +++ b/php-bug77540.patch @@ -0,0 +1,103 @@ +Backported for 5.6 from 7.1 by remi +without binary diff + + + +From 5e824a88d073d282c4f358f186cb87ddc284f83d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Fri, 1 Mar 2019 23:25:45 -0800 +Subject: [PATCH] Fix integer overflows on 32-bits + +--- + ext/exif/exif.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index cbde3effedf9..b4563927a505 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3577,10 +3577,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + tag_table_type tag_table = exif_get_tag_table(section_index); + + if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { +- return FALSE; +- } ++ return FALSE; ++ } + +- if (ImageInfo->FileSize >= dir_offset+2) { ++ if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) { + sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2); +@@ -3588,8 +3588,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */ + php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2); + num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel); +- dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; +- if (ImageInfo->FileSize >= dir_offset+dir_size) { ++ dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; ++ if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) { + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries); + #endif +@@ -3672,9 +3672,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + } + } + } +- if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) { ++ if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) { + if (ifd_size > dir_size) { +- if (dir_offset + ifd_size > ImageInfo->FileSize) { ++ if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size); + return FALSE; + } +From 5f0e62a3e5b525163e538aaab0161c2c8c5d057b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 2 Mar 2019 13:38:00 -0800 +Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn + +--- + ext/exif/exif.c | 10 ++++++++-- + ext/exif/tests/bug77540.jpg | Bin 0 -> 91 bytes + ext/exif/tests/bug77540.phpt | 16 ++++++++++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug77540.jpg + create mode 100644 ext/exif/tests/bug77540.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index b4563927a505..ea88a8f115e8 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3519,7 +3519,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + return FALSE; + marker = c; + length = php_jpg_get16(data+pos); +- if (pos+length>=ImageInfo->Thumbnail.size) { ++ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { + return FALSE; + } + #ifdef EXIF_DEBUG +@@ -3540,6 +3540,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + case M_SOF14: + case M_SOF15: + /* handle SOFn block */ ++ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) { ++ /* exif_process_SOFn needs 8 bytes */ ++ return FALSE; ++ } + exif_process_SOFn(data+pos, marker, &sof_info); + ImageInfo->Thumbnail.height = sof_info.height; + ImageInfo->Thumbnail.width = sof_info.width; +@@ -4183,7 +4187,9 @@ PHP_FUNCTION(exif_thumbnail) + ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size, 1); + if (arg_c >= 3) { + if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { +- exif_scan_thumbnail(&ImageInfo TSRMLS_CC); ++ if (!exif_scan_thumbnail(&ImageInfo TSRMLS_CC)) { ++ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0; ++ } + } + zval_dtor(p_width); + zval_dtor(p_height); diff --git a/php-bug77563.patch b/php-bug77563.patch new file mode 100644 index 0000000..33b196d --- /dev/null +++ b/php-bug77563.patch @@ -0,0 +1,42 @@ +Backported for 5.6 from 7.1 by remi +without binary diff + + + +From 8ac6fee8562533a15db90062117210ed28b44fea Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 2 Mar 2019 15:07:40 -0800 +Subject: [PATCH] Fix bug #77563 - Uninitialized read in + exif_process_IFD_in_MAKERNOTE + +Also fix for bug #77659 +--- + ext/exif/exif.c | 3 ++- + ext/exif/tests/bug77563.jpg | Bin 0 -> 63 bytes + ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug77563.jpg + create mode 100644 ext/exif/tests/bug77563.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index ea88a8f115e8..fe89b8547118 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2751,7 +2751,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + break; + } + +- if (maker_note->offset >= value_len) { ++ if (value_len < 2 || maker_note->offset >= value_len - 1) { + /* Do not go past the value end */ + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset); + return FALSE; +@@ -2804,6 +2804,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + break; + default: + case MN_OFFSET_NORMAL: ++ data_len = value_len; + break; + } + + diff --git a/php56.spec b/php56.spec index a7f67f9..e4c1a87 100644 --- a/php56.spec +++ b/php56.spec @@ -142,7 +142,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.6.40 -Release: 1%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -203,6 +203,8 @@ Patch91: php-5.6.3-oci8conf.patch Patch100: php-5.6.31-oci.patch # Security fixes (200+) +Patch210: php-bug77540.patch +Patch211: php-bug77563.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -962,6 +964,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch100 -p1 -b .pdo_oci # security patches +%patch210 -p1 -b .bug77540 +%patch211 -p1 -b .bug77563 # Fixes for tests %patch300 -p1 -b .datetests @@ -1730,17 +1734,6 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/php/modules/*.a \ rm -f README.{Zeus,QNX,CVS-RULES} -%pre common -echo -e "\nWARNING : These %{name}-* RPMs are not official Fedora / Red Hat build and" -echo -e "overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.\n" -echo -e "Use dedicated forum at http://forum.remirepo.net/\n" - -%if %{?fedora}%{!?fedora:99} < 28 -echo -e "WARNING : Fedora %{fedora} is now EOL :" -echo -e "You should consider upgrading to a supported release.\n" -%endif - - %if ! %{with_httpd2410} %pre fpm # Add the "apache" user as we don't require httpd @@ -1820,6 +1813,19 @@ fi %postun embedded -p /sbin/ldconfig +%posttrans common +cat << EOF +===================================================================== + + WARNING : PHP 5.6 have reached its "End of Life" in January 2019. + Even, if this package includes some of the important security fix, + backported from 7.1, + The UPGRADE to a maintained version is very strongly RECOMMENDED. + +===================================================================== +EOF + + %{!?_licensedir:%global license %%doc} %files @@ -1990,6 +1996,13 @@ fi %changelog +* Mon Mar 4 2019 Remi Collet - 5.6.40-3 +- exif: + Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF + Fix #77540 Invalid Read on exif_process_SOFn + Fix #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE + Fix #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE + * Wed Jan 9 2019 Remi Collet - 5.6.40-1 - Update to 5.6.40 - http://www.php.net/releases/5_6_40.php -- cgit