summaryrefslogtreecommitdiffstats
path: root/php-bug78793.patch
blob: c34da4d09c4f3b13c1f7b19ad27daa55539f18a0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
From 020d208284f3bfa87b3b983f59a6a2eb7d4dae87 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 16 Dec 2019 01:14:38 -0800
Subject: [PATCH] Fix bug #78793

(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba)
---
 NEWS                         |  4 ++++
 ext/exif/exif.c              |  5 +++--
 ext/exif/tests/bug78793.phpt | 12 ++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 ext/exif/tests/bug78793.phpt

diff --git a/NEWS b/NEWS
index 6477dd620f..20bbff880e 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ Backported from 7.2.26
   . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
     byte). (CVE-2019-11045). (cmb)
 
+- EXIF:
+  . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
+    (CVE-2019-11050). (Nikita)
+
 24 Oct 2019, PHP 7.1.33
 
 - FPM:
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 77e4427b48..c9ebaa7b78 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2821,8 +2821,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	}
 
 	for (de=0;de<NumDirEntries;de++) {
-		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
-								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
+		size_t offset = 2 + 12 * de;
+		if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
+								  offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
 			return FALSE;
 		}
 	}
diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
new file mode 100644
index 0000000000..033f255ace
--- /dev/null
+++ b/ext/exif/tests/bug78793.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
+--FILE--
+<?php
+$f = "ext/exif/tests/bug77950.tiff";
+for ($i = 0; $i < 10; $i++) {
+    @exif_read_data($f);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===