summaryrefslogtreecommitdiffstats
path: root/php-bug77831.patch
diff options
context:
space:
mode:
Diffstat (limited to 'php-bug77831.patch')
-rw-r--r--php-bug77831.patch232
1 files changed, 232 insertions, 0 deletions
diff --git a/php-bug77831.patch b/php-bug77831.patch
new file mode 100644
index 0000000..afef6df
--- /dev/null
+++ b/php-bug77831.patch
@@ -0,0 +1,232 @@
+Without test as binary patch are not supported
+
+
+
+From b325c4632c6a2016109c9f53397ef4356bb47bcf Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Apr 2019 00:12:26 -0700
+Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value
+ in EXIF
+
+(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4)
+---
+ NEWS | 4 ++++
+ ext/exif/exif.c | 43 +++++++++++++++++++++++------------
+ ext/exif/tests/bug77831.phpt | 13 +++++++++++
+ ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes
+ 4 files changed, 45 insertions(+), 15 deletions(-)
+ create mode 100644 ext/exif/tests/bug77831.phpt
+ create mode 100644 ext/exif/tests/bug77831.tiff
+
+diff --git a/NEWS b/NEWS
+index 4ab4ddb5cd..a49afe2411 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP NEWS
+
+ Backported from 7.1.28
+
++- EXIF:
++ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
++
+ - SQLite3:
+ . Added sqlite3.defensive INI directive. (BohwaZ)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index cd6b824d38..fc6ee852fa 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1654,10 +1654,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
+ /* {{{ exif_iif_add_value
+ Add a value to image_info
+ */
+-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel)
++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel)
+ {
+ size_t idex;
+- void *vptr;
++ void *vptr, *vptr_end;
+ image_info_value *info_value;
+ image_info_data *info_data;
+ image_info_data *list;
+@@ -1679,8 +1679,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+
+ switch (format) {
+ case TAG_FMT_STRING:
++ if (length > value_len) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++ value = NULL;
++ }
+ if (value) {
+- length = php_strnlen(value, length);
++ length = (int)php_strnlen(value, length);
+ info_value->s = estrndup(value, length);
+ info_data->length = length;
+ } else {
+@@ -1702,6 +1706,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ if (!length)
+ break;
+ case TAG_FMT_UNDEFINED:
++ if (length > value_len) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++ value = NULL;
++ }
+ if (value) {
+ if (tag == TAG_MAKER_NOTE) {
+ length = (int) php_strnlen(value, length);
+@@ -1732,7 +1740,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ } else {
+ info_value = &info_data->value;
+ }
++ vptr_end = value+value_len;
+ for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
++ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
++ break;
++ }
+ if (length>1) {
+ info_value = &info_data->value.list[idex];
+ }
+@@ -1768,7 +1781,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ php_error_docref(NULL, E_WARNING, "Found value of type single");
+ #endif
+ info_value->f = *(float *)value;
+-
++ break;
+ case TAG_FMT_DOUBLE:
+ #ifdef EXIF_DEBUG
+ php_error_docref(NULL, E_WARNING, "Found value of type double");
+@@ -1786,9 +1799,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ /* {{{ exif_iif_add_tag
+ Add a tag from IFD to image_info
+ */
+-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value)
++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len)
+ {
+- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel);
++ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel);
+ }
+ /* }}} */
+
+@@ -2209,7 +2222,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
+ */
+ static void exif_process_COM (image_info_type *image_info, char *value, size_t length)
+ {
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2);
+ }
+ /* }}} */
+
+@@ -2224,17 +2237,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ if (length>3) {
+ switch(value[2]) {
+ case 0:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length;
+ break;
+ case 1:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+ break;
+ default:
+ php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding");
+ break;
+ }
+ } else {
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0);
+ php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small");
+ }
+ }
+@@ -2826,7 +2839,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table)
+ {
+ size_t length;
+- int tag, format, components;
++ unsigned int tag, format, components;
+ char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ size_t byte_count, offset_val, fpos, fgot;
+ int64_t byte_count_signed;
+@@ -3137,7 +3150,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ }
+ }
+ }
+- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr);
++ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count);
+ EFREE_IF(outside);
+ return TRUE;
+ }
+@@ -3295,10 +3308,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
+ size_t l1, l2=0;
+
+ if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
+- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2);
++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1);
+ if (length > 2+l1+1) {
+ l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
+- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);
++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2);
+ }
+ }
+ #ifdef EXIF_DEBUG
+@@ -4099,7 +4112,7 @@ PHP_FUNCTION(exif_read_data)
+ if (ImageInfo.Thumbnail.size) {
+ if (read_thumbnail) {
+ /* not exif_iif_add_str : this is a buffer */
+- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data);
++ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
+ }
+ if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+ /* try to evaluate if thumbnail data is present */
+From 1f9f1ad6e55d784fd0c6842c3925117247858b8e Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 2 Apr 2019 11:03:40 +0200
+Subject: [PATCH] fix paste issue
+
+---
+ ext/exif/exif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index fc6ee852fa..a1c49e937d 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2237,7 +2237,7 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ if (length>3) {
+ switch(value[2]) {
+ case 0:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length;
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length);
+ break;
+ case 1:
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+From e96f513c13926f2e027949c343a93c534f155b6e Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 2 Apr 2019 10:37:40 +0200
+Subject: [PATCH] Pointer arithmetic on void pointers is illegal
+
+We quick-fix this by casting to char*; it might be more appropriate to
+use char pointers in the first place.
+
+(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
+---
+ ext/exif/exif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a1c49e937d..0e490abd1b 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1740,9 +1740,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ } else {
+ info_value = &info_data->value;
+ }
+- vptr_end = value+value_len;
++ vptr_end = (char *) value + value_len;
+ for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+- if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++ if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ break;
+ }
generated by cgit (git 2.34.1) at 2024-04-26 09:22:47 +0000