File php-CVE-2019-11035.patch of Package php7.21654
X-Git-Url: http://208.43.231.11:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=75f59d71c91b2cdfd6c05e471f18edd9715acd3f;hp=407145fffcb36eea0fb98e7e2b83c9f3e4091af5;hb=330f1716df49c0d3474c18b6dcd370a9dcf57422;hpb=1c0d06441aefee18b30520e2b1ae89cbfcf56a59
Index: php-7.2.5/ext/exif/exif.c
===================================================================
--- php-7.2.5.orig/ext/exif/exif.c 2019-04-29 12:08:21.787510186 +0200
+++ php-7.2.5/ext/exif/exif.c 2019-04-29 12:08:21.799510259 +0200
@@ -2062,10 +2062,10 @@ static int exif_file_sections_free(image
/* {{{ exif_iif_add_value
Add a value to image_info
*/
-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel)
+static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel)
{
size_t idex;
- void *vptr;
+ void *vptr, *vptr_end;
image_info_value *info_value;
image_info_data *info_data;
image_info_data *list;
@@ -2087,8 +2087,12 @@ static void exif_iif_add_value(image_inf
switch (format) {
case TAG_FMT_STRING:
+ if (length > value_len) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
+ value = NULL;
+ }
if (value) {
- length = php_strnlen(value, length);
+ length = (int)php_strnlen(value, length);
info_value->s = estrndup(value, length);
info_data->length = length;
} else {
@@ -2110,6 +2114,10 @@ static void exif_iif_add_value(image_inf
if (!length)
break;
case TAG_FMT_UNDEFINED:
+ if (length > value_len) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
+ value = NULL;
+ }
if (value) {
if (tag == TAG_MAKER_NOTE) {
length = (int) php_strnlen(value, length);
@@ -2140,7 +2148,12 @@ static void exif_iif_add_value(image_inf
} else {
info_value = &info_data->value;
}
+ vptr_end = (char*)value+value_len;
for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+ if ((char*)vptr_end - (char*)vptr < php_tiff_bytes_per_format[format]) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ break;
+ }
if (length>1) {
info_value = &info_data->value.list[idex];
}
@@ -2176,7 +2189,7 @@ static void exif_iif_add_value(image_inf
php_error_docref(NULL, E_WARNING, "Found value of type single");
#endif
info_value->f = *(float *)value;
-
+ break;
case TAG_FMT_DOUBLE:
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_WARNING, "Found value of type double");
@@ -2194,9 +2207,9 @@ static void exif_iif_add_value(image_inf
/* {{{ exif_iif_add_tag
Add a tag from IFD to image_info
*/
-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value)
+static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len)
{
- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel);
+ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel);
}
/* }}} */
@@ -2617,7 +2630,7 @@ static void add_assoc_image_info(zval *v
*/
static void exif_process_COM (image_info_type *image_info, char *value, size_t length)
{
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2);
}
/* }}} */
@@ -2632,17 +2645,17 @@ static void exif_process_CME (image_info
if (length>3) {
switch(value[2]) {
case 0:
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length);
break;
case 1:
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
break;
default:
php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding");
break;
}
} else {
- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0);
php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small");
}
}
@@ -3237,7 +3250,7 @@ static int exif_process_IFD_in_MAKERNOTE
static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table)
{
size_t length;
- int tag, format, components;
+ unsigned int tag, format, components;
char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
size_t byte_count, offset_val, fpos, fgot;
int64_t byte_count_signed;
@@ -3548,7 +3561,7 @@ static int exif_process_IFD_TAG(image_in
}
}
}
- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr);
+ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count);
EFREE_IF(outside);
return TRUE;
}
@@ -3710,10 +3723,10 @@ static void exif_process_APP12(image_inf
size_t l1, l2=0;
if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2);
+ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1);
if (length > 2+l1+1) {
l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);
+ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2);
}
}
#ifdef EXIF_DEBUG
@@ -4583,7 +4596,7 @@ PHP_FUNCTION(exif_read_data)
if (ImageInfo.Thumbnail.size) {
if (read_thumbnail) {
/* not exif_iif_add_str : this is a buffer */
- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data);
+ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
}
if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
/* try to evaluate if thumbnail data is present */
