From da77c08e873f7152d3fac2f1b905504415ec3324 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Apr 2019 14:25:30 +0200 Subject: - exif: Fix #77753 Heap-buffer-overflow in php_ifd_get32s Fix #77831 Heap-buffer-overflow in exif_iif_add_value - sqlite3: Added sqlite3.defensive INI directive --- php-bug77831.patch | 211 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 211 insertions(+) create mode 100644 php-bug77831.patch (limited to 'php-bug77831.patch') diff --git a/php-bug77831.patch b/php-bug77831.patch new file mode 100644 index 0000000..840fbfd --- /dev/null +++ b/php-bug77831.patch @@ -0,0 +1,211 @@ +Without test as binary patch not supported + + + + +From 1f2fdcd9a2471e6fac220ec2e7a2ca56b7879113 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 2 Apr 2019 00:12:26 -0700 +Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value + in EXIF + +(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4) +--- + NEWS | 4 ++++ + ext/exif/exif.c | 43 +++++++++++++++++++++++------------ + ext/exif/tests/bug77831.phpt | 13 +++++++++++ + ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes + 4 files changed, 45 insertions(+), 15 deletions(-) + create mode 100644 ext/exif/tests/bug77831.phpt + create mode 100644 ext/exif/tests/bug77831.tiff + +diff --git a/NEWS b/NEWS +index 0bff457d2b..0dde9880d5 100644 +--- a/NEWS ++++ b/NEWS +@@ -3,6 +3,10 @@ PHP NEWS + + Backported from 7.1.28 + ++- EXIF: ++ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas) ++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas) ++ + - SQLite3: + . Added sqlite3.defensive INI directive. (BohwaZ) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 4350124305..547bd58dfb 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1660,10 +1660,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo) + /* {{{ exif_iif_add_value + Add a value to image_info + */ +-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel TSRMLS_DC) ++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel TSRMLS_DC) + { + size_t idex; +- void *vptr; ++ void *vptr, *vptr_end; + image_info_value *info_value; + image_info_data *info_data; + image_info_data *list; +@@ -1685,8 +1685,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + + switch (format) { + case TAG_FMT_STRING: ++ if (length > value_len) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); ++ value = NULL; ++ } + if (value) { +- length = php_strnlen(value, length); ++ length = (int)php_strnlen(value, length); + info_value->s = estrndup(value, length); + info_data->length = length; + } else { +@@ -1708,6 +1712,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + if (!length) + break; + case TAG_FMT_UNDEFINED: ++ if (length > value_len) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); ++ value = NULL; ++ } + if (value) { + if (tag == TAG_MAKER_NOTE) { + length = (int) php_strnlen(value, length); +@@ -1738,7 +1746,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + } else { + info_value = &info_data->value; + } ++ vptr_end = value+value_len; + for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { ++ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); ++ break; ++ } + if (length>1) { + info_value = &info_data->value.list[idex]; + } +@@ -1774,7 +1787,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type single"); + #endif + info_value->f = *(float *)value; +- ++ break; + case TAG_FMT_DOUBLE: + #ifdef EXIF_DEBUG + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type double"); +@@ -1792,9 +1805,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + /* {{{ exif_iif_add_tag + Add a tag from IFD to image_info + */ +-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC) ++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len TSRMLS_DC) + { +- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel TSRMLS_CC); ++ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel TSRMLS_CC); + } + /* }}} */ + +@@ -2218,7 +2231,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im + */ + static void exif_process_COM (image_info_type *image_info, char *value, size_t length TSRMLS_DC) + { +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2 TSRMLS_CC); + } + /* }}} */ + +@@ -2233,17 +2246,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l + if (length>3) { + switch(value[2]) { + case 0: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length TSRMLS_CC); + break; + case 1: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length); + break; + default: + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Undefined JPEG2000 comment encoding"); + break; + } + } else { +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0 TSRMLS_CC); + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "JPEG2000 comment section too small"); + } + } +@@ -2837,7 +2850,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table TSRMLS_DC) + { + size_t length; +- int tag, format, components; ++ unsigned int tag, format, components; + char *value_ptr, tagname[64], cbuf[32], *outside=NULL; + size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; +@@ -3148,7 +3161,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha + } + } + } +- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC); ++ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr, byte_count TSRMLS_CC); + EFREE_IF(outside); + return TRUE; + } +@@ -3306,10 +3319,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t + size_t l1, l2=0; + + if ((l1 = php_strnlen(buffer+2, length-2)) > 0) { +- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC); ++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1 TSRMLS_CC); + if (length > 2+l1+1) { + l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1); +- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC); ++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2 TSRMLS_CC); + } + } + #ifdef EXIF_DEBUG +@@ -4107,7 +4120,7 @@ PHP_FUNCTION(exif_read_data) + if (ImageInfo.Thumbnail.size) { + if (read_thumbnail) { + /* not exif_iif_add_str : this is a buffer */ +- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC); ++ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size TSRMLS_CC); + } + if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { + /* try to evaluate if thumbnail data is present */ +From 8b4b035dcd3f382e9de4e2f661df2dc0797fc478 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 2 Apr 2019 10:37:40 +0200 +Subject: [PATCH] Pointer arithmetic on void pointers is illegal + +We quick-fix this by casting to char*; it might be more appropriate to +use char pointers in the first place. + +(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c) +--- + ext/exif/exif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 547bd58dfb..81cf438a8e 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1746,9 +1746,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + } else { + info_value = &info_data->value; + } +- vptr_end = value+value_len; ++ vptr_end = (char *) value + value_len; + for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { +- if (vptr_end - vptr < php_tiff_bytes_per_format[format]) { ++ if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) { + exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); + break; + } -- cgit