File php-CVE-2018-14851.patch of Package php7.16741
Index: php-7.0.7/ext/exif/exif.c
===================================================================
--- php-7.0.7.orig/ext/exif/exif.c 2018-08-04 09:29:09.865429440 +0200
+++ php-7.0.7/ext/exif/exif.c 2018-08-04 09:29:41.833597417 +0200
@@ -2712,6 +2712,7 @@ static int exif_process_IFD_in_MAKERNOTE
int NumDirEntries, old_motorola_intel, offset_diff;
const maker_note_type *maker_note;
char *dir_start;
+ int data_len;
for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
if (i==sizeof(maker_note_array)/sizeof(maker_note_type))
@@ -2760,6 +2761,7 @@ static int exif_process_IFD_in_MAKERNOTE
switch (maker_note->offset_mode) {
case MN_OFFSET_MAKER:
offset_base = value_ptr;
+ data_len = value_len;
break;
case MN_OFFSET_GUESS:
if (maker_note->offset + 10 + 4 >= value_len) {
@@ -2776,6 +2778,7 @@ static int exif_process_IFD_in_MAKERNOTE
return FALSE;
}
offset_base = value_ptr + offset_diff;
+ data_len = value_len - offset_diff;
break;
default:
case MN_OFFSET_NORMAL:
@@ -2789,7 +2792,7 @@ static int exif_process_IFD_in_MAKERNOTE
for (de=0;de<NumDirEntries;de++) {
if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
- offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table)) {
+ offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
return FALSE;
}
}