File php-CVE-2018-14851.patch of Package php7

X-Git-Url: http://208.43.231.11:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=cad29b729548e4206f0697710cc9e177f26fdff3;hp=1147980f7730de0dfd13904a2ea6461bbf4eded8;hb=3462efa386f26d343062094514af604c29e3edce;hpb=1baeae42703f9b2ec21fff787146eeca08d45535

Index: php-7.2.5/ext/exif/exif.c
===================================================================
--- php-7.2.5.orig/ext/exif/exif.c	2018-08-04 09:18:43.566167854 +0200
+++ php-7.2.5/ext/exif/exif.c	2018-08-04 09:25:27.280266346 +0200
@@ -3126,6 +3126,7 @@ static int exif_process_IFD_in_MAKERNOTE
 #endif
 	const maker_note_type *maker_note;
 	char *dir_start;
+        int data_len;
 	
 	for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
 		if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {
@@ -3180,6 +3181,7 @@ static int exif_process_IFD_in_MAKERNOTE
 	switch (maker_note->offset_mode) {
 		case MN_OFFSET_MAKER:
 			offset_base = value_ptr;
+			data_len = value_len;
 			break;
 #ifdef KALLE_0
 		case MN_OFFSET_GUESS:
@@ -3197,6 +3199,7 @@ static int exif_process_IFD_in_MAKERNOTE
 				return FALSE;
 			}
 			offset_base = value_ptr + offset_diff;
+			data_len = value_len - offset_diff;
 			break;
 #endif
 		default:
@@ -3211,7 +3214,7 @@ static int exif_process_IFD_in_MAKERNOTE
 
 	for (de=0;de<NumDirEntries;de++) {
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
-								  offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table)) {
+								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
 			return FALSE;
 		}
 	}
openSUSE Build Service is sponsored by