1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
From 75149a9a02d3bc44411a6e7ab35aee7110d053f3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 16 Dec 2019 00:10:39 -0800
Subject: [PATCH] Fixed bug #78910
(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7)
---
NEWS | 2 ++
ext/exif/exif.c | 3 ++-
ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 ext/exif/tests/bug78910.phpt
diff --git a/NEWS b/NEWS
index 723cc69be6..ba237b8e33 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ Backported from 7.2.26
- EXIF:
. Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
(CVE-2019-11050). (Nikita)
+ . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
+ (Nikita)
Backported from 7.1.33
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index a7da928800..9e42a62812 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2748,7 +2748,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
continue;
if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
continue;
- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+ if (maker_note->id_string && value_len >= maker_note->id_string_len
+ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
continue;
break;
}
diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
new file mode 100644
index 0000000000..f5b1c32c1b
--- /dev/null
+++ b/ext/exif/tests/bug78910.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
+--FILE--
+<?php
+
+var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
+
+?>
+--EXPECTF--
+Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+
+Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+
+Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+
+Warning: exif_read_data(): Invalid TIFF file in %s on line %d
+bool(false)
From ec1dc05c2415f55507b5710dbeed9f0623c9b44d Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 17 Dec 2019 15:26:04 +0100
Subject: [PATCH] Fix tests
---
ext/bcmath/tests/bug72093-win32.phpt | 2 +-
ext/bcmath/tests/bug75178-win32.phpt | 4 ++--
ext/exif/tests/bug76557.phpt | 2 +-
ext/exif/tests/bug78910.phpt | 8 ++++----
ext/spl/tests/bug54291.phpt | 2 +-
5 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ext/bcmath/tests/bug72093-win32.phpt b/ext/bcmath/tests/bug72093-win32.phpt
index a9b2077823..bcea8740b5 100644
--- a/ext/bcmath/tests/bug72093-win32.phpt
+++ b/ext/bcmath/tests/bug72093-win32.phpt
@@ -14,5 +14,5 @@ var_dump(bcpowmod(1, 1.2, 1, 1));
?>
--EXPECTF--
string(1) "1"
-string(3) "0.0"
bc math warning: non-zero scale in exponent
+string(3) "0.0"
diff --git a/ext/bcmath/tests/bug75178-win32.phpt b/ext/bcmath/tests/bug75178-win32.phpt
index bae590fb5b..c70e3aa810 100644
--- a/ext/bcmath/tests/bug75178-win32.phpt
+++ b/ext/bcmath/tests/bug75178-win32.phpt
@@ -14,8 +14,8 @@ var_dump(bcpowmod('4', '4', '3.1', 3));
?>
===DONE===
--EXPECT--
+bc math warning: non-zero scale in base
string(5) "1.000"
+bc math warning: non-zero scale in modulus
string(5) "1.000"
===DONE===
-bc math warning: non-zero scale in base
-bc math warning: non-zero scale in modulus
diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
index 4553b62772..8920de658a 100644
--- a/ext/exif/tests/bug76557.phpt
+++ b/ext/exif/tests/bug76557.phpt
@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d
Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
index f5b1c32c1b..7e40b82389 100644
--- a/ext/exif/tests/bug78910.phpt
+++ b/ext/exif/tests/bug78910.phpt
@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA
?>
--EXPECTF--
-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+Notice: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
-Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): IFD data too short: 0x0000 offset 0x000C in %s on line %d
-Warning: exif_read_data(): Invalid TIFF file in %s on line %d
+Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Invalid TIFF file in %s on line %d
bool(false)
diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt
index c0119c4360..5e4a5a0607 100644
--- a/ext/spl/tests/bug54291.phpt
+++ b/ext/spl/tests/bug54291.phpt
@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
$dir = new DirectoryIterator("\x00/abc");
$dir->isFile();
--EXPECTF--
-Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d
+Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
Stack trace:
#0 %s(%d): DirectoryIterator->__construct('\x00/abc')
#1 {main}
|