summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--bug72735.patch84
-rw-r--r--php.spec9
2 files changed, 91 insertions, 2 deletions
diff --git a/bug72735.patch b/bug72735.patch
new file mode 100644
index 0000000..eaa7e78
--- /dev/null
+++ b/bug72735.patch
@@ -0,0 +1,84 @@
+From d5796fb298abb2a3e389818ad924589fa35e58b9 Mon Sep 17 00:00:00 2001
+From: Kalle Sommer Nielsen <kalle@php.net>
+Date: Wed, 3 Aug 2016 17:05:31 +0200
+Subject: [PATCH] Changed the way MAKERNOTE is handled in case we do not have a
+ matching signature (Remi).
+
+Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE.
+
+The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature.
+
+This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further.
+
+(cherry picked from commit aabcb5481d9e717df77192dab2894468b9fc63b4)
+---
+ ext/exif/exif.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 5564de4..94652e9 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1718,6 +1718,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ if (!length)
+ break;
+ case TAG_FMT_UNDEFINED:
++ if (tag == TAG_MAKER_NOTE) {
++ length = MIN(length, strlen(value));
++ }
++
+ if (value) {
+ /* do not recompute length here */
+ info_value->s = estrndup(value, length);
+@@ -2733,8 +2737,14 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ char *dir_start;
+
+ for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
+- if (i==sizeof(maker_note_array)/sizeof(maker_note_type))
+- return FALSE;
++ if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {
++#ifdef EXIF_DEBUG
++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "No maker note data found. Detected maker: %s (length = %d)", ImageInfo->make, strlen(ImageInfo->make));
++#endif
++ /* unknown manufacturer, not an error, use it as a string */
++ return TRUE;
++ }
++
+ maker_note = maker_note_array+i;
+
+ /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s,%s)", maker_note->make?maker_note->make:"", maker_note->model?maker_note->model:"");*/
+--
+2.1.4
+
+From 9667ee4f72c7dafce993b71104a52beb7c3aff15 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Wed, 3 Aug 2016 18:26:29 +0200
+Subject: [PATCH] improve the check, avoid strlen on NULL
+
+---
+ ext/exif/exif.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 94652e9..f95de3a 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1718,11 +1718,11 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ if (!length)
+ break;
+ case TAG_FMT_UNDEFINED:
+- if (tag == TAG_MAKER_NOTE) {
+- length = MIN(length, strlen(value));
+- }
+-
+ if (value) {
++ if (tag == TAG_MAKER_NOTE) {
++ length = MIN(length, strlen(value));
++ }
++
+ /* do not recompute length here */
+ info_value->s = estrndup(value, length);
+ info_data->length = length;
+--
+2.1.4
+
diff --git a/php.spec b/php.spec
index 2716597..f6060b0 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.4.45
-Release: 11%{?dist}
+Release: 11%{?dist}.1
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -236,6 +236,7 @@ Patch252: bug72606.patch
Patch253: bug72613.patch
Patch254: bug72618.patch
Patch255: bug72519.patch
+Patch256: bug72735.patch
# Fixes for tests (300+)
# Backported from 5.5
@@ -929,8 +930,9 @@ support for using the enchant library to PHP.
%patch253 -p1 -b .bug72613
%patch254 -p1 -b .bug72618
%patch255 -p1 -b .bug72519
+%patch256 -p1 -b .bug72735
: ------------------------
-# exit 1
+#exit 1
# Fixes for tests
%patch300 -p1 -b .datetests1
@@ -1759,6 +1761,9 @@ EOF
%changelog
+* Fri Aug 5 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11.1
+- fix #72735 regression in exif maker note parser
+
* Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11
- Fix #70480: php_url_parse_ex() buffer overflow read
CVE-2016-6288