summaryrefslogtreecommitdiffstats
path: root/php-bug78256.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-07-30 12:13:26 +0200
committerRemi Collet <remi@remirepo.net>2019-07-30 12:13:26 +0200
commit05daae53dc5973acafcaf058685d3766c8505d63 (patch)
tree9977f212071d4fff92667e77b0cc9216c5d1fa58 /php-bug78256.patch
parentc26b254de1a2c65b994cca66fb4ef9ee292b8db7 (diff)
- exif:
Fix #78256 heap-buffer-overflow on exif_process_user_comment CVE-2019-11042 Fix #78222 heap-buffer-overflow on exif_scan_thumbnail CVE-2019-11041 - phar: Fix #77919 Potential UAF in Phar RSHUTDOWN
Diffstat (limited to 'php-bug78256.patch')
-rw-r--r--php-bug78256.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/php-bug78256.patch b/php-bug78256.patch
new file mode 100644
index 0000000..f4e4232
--- /dev/null
+++ b/php-bug78256.patch
@@ -0,0 +1,47 @@
+Without test as binary patch not supported
+
+
+
+
+From 3174fd02078cd9cfd21dc1256adbb1cf8a6cb973 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:39:59 -0700
+Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
+ exif_process_user_comment)
+
+(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)
+---
+ ext/exif/exif.c | 6 +++---
+ ext/exif/tests/bug78256.jpg | Bin 0 -> 69 bytes
+ ext/exif/tests/bug78256.phpt | 11 +++++++++++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+ create mode 100644 ext/exif/tests/bug78256.jpg
+ create mode 100644 ext/exif/tests/bug78256.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 8b379bbb7f..3f8dd907dc 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2619,7 +2619,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ {
+ int a;
+ char *decode;
+- size_t len;;
++ size_t len;
+
+ *pszEncoding = NULL;
+ /* Copy the comment */
+@@ -2632,11 +2632,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
+ * since we have no encoding support for the BOM yet we skip that.
+ */
+- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
++ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
+ decode = "UCS-2BE";
+ szValuePtr = szValuePtr+2;
+ ByteCount -= 2;
+- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
++ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
+ decode = "UCS-2LE";
+ szValuePtr = szValuePtr+2;
+ ByteCount -= 2;