1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
From e5c13f8716507a1210bd0ed6550c3b29fb8b2117 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 16 Dec 2019 00:10:39 -0800
Subject: [PATCH] Fixed bug #78910
(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7)
---
NEWS | 2 ++
ext/exif/exif.c | 3 ++-
ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 ext/exif/tests/bug78910.phpt
diff --git a/NEWS b/NEWS
index 20bbff880e..25d352f784 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ Backported from 7.2.26
- EXIF:
. Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
(CVE-2019-11050). (Nikita)
+ . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
+ (Nikita)
24 Oct 2019, PHP 7.1.33
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index c9ebaa7b78..406fee4ff4 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2749,7 +2749,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
continue;
if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
continue;
- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+ if (maker_note->id_string && value_len >= maker_note->id_string_len
+ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
continue;
break;
}
diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
new file mode 100644
index 0000000000..f5b1c32c1b
--- /dev/null
+++ b/ext/exif/tests/bug78910.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
+--FILE--
+<?php
+
+var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
+
+?>
+--EXPECTF--
+Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+
+Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+
+Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+
+Warning: exif_read_data(): Invalid TIFF file in %s on line %d
+bool(false)
From 0d68020ffa1eef58df2bf845f8638646e840a86f Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Dec 2019 15:07:18 +0100
Subject: [PATCH] relax tests
---
ext/exif/tests/bug76557.phpt | 2 +-
ext/exif/tests/bug78910.phpt | 8 ++++----
ext/spl/tests/bug54291.phpt | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
index 4553b62772..08bd2d73a7 100644
--- a/ext/exif/tests/bug76557.phpt
+++ b/ext/exif/tests/bug76557.phpt
@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x%s) in %sbug76557.php on line %d
Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
index f5b1c32c1b..7770df5129 100644
--- a/ext/exif/tests/bug78910.phpt
+++ b/ext/exif/tests/bug78910.phpt
@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA
?>
--EXPECTF--
-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+Notice: exif_read_data(%s): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
-Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+Warning: exif_read_data(%s): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+Warning: exif_read_data(%s): IFD data too short: 0x0000 offset 0x000C in %s on line %d
-Warning: exif_read_data(): Invalid TIFF file in %s on line %d
+Warning: exif_read_data(%s): Invalid TIFF file in %s on line %d
bool(false)
diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt
index b15a3723d4..655291fde4 100644
--- a/ext/spl/tests/bug54291.phpt
+++ b/ext/spl/tests/bug54291.phpt
@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
$dir = new DirectoryIterator("\x00/abc");
$dir->isFile();
--EXPECTF--
-Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d
+Fatal error: Uncaught UnexpectedValueException: %s in %s:%d
Stack trace:
#0 %s(%d): DirectoryIterator->__construct('\x00/abc')
#1 {main}
|
