blob: 77dbc10e656ea8cdf93e998c61fd7853244499d4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Without test as binary patch not supported
From 205b94a281839a91d805af27b997331e76029a4b Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 27 May 2019 17:16:29 -0700
Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb)
---
NEWS | 16 +++++++++++++++-
ext/exif/exif.c | 2 ++
ext/exif/tests/bug77988.jpg | Bin 0 -> 1202 bytes
ext/exif/tests/bug77988.phpt | 11 +++++++++++
4 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 ext/exif/tests/bug77988.jpg
create mode 100644 ext/exif/tests/bug77988.phpt
diff --git a/NEWS b/NEWS
index ebcd60c4be..b6e18aa242 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,20 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 7.1.30
+
+- EXIF:
+ . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16).
+ (CVE-2019-11040) (Stas)
+
+- GD:
+ . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
+ (CVE-2019-11038) (cmb)
+
+- Iconv:
+ . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+ due to integer overflow). (CVE-2019-11039). (maris dot adam)
+
Backported from 7.1.29
- EXIF
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index a9df95d554..dd7d268bbd 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3525,6 +3525,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
if (c == 0xFF)
return FALSE;
marker = c;
+ if (pos>=ImageInfo->Thumbnail.size)
+ return FALSE;
length = php_jpg_get16(data+pos);
if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
return FALSE;
|
