php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch fix-iptcparse for *General Issues Bug #67250

Patch version 2014-05-12 02:10 UTC

Return to Bug #67250 | Download this patch
Patch Revisions:

Developer: stas@php.net

diff --git a/NEWS b/NEWS
index 03f8b87..6e2ff75 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
   . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in
     zend_exceptions.c). (Bob)
   . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
+  . Fixed bug #67250 (iptcparse out-of-bounds read). (Stas)
 
 - Date:
   . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index 3257339..d2c14c9 100644
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -329,6 +329,9 @@ PHP_FUNCTION(iptcparse)
 		recnum = buffer[ inx++ ];
 
 		if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */
+            if((inx+6) >= str_len) {
+                break;
+            }
 			len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + 
 				  (((long) buffer[ inx + 4 ]) <<  8) + (((long) buffer[ inx + 5 ]));
 			inx += 6;
diff --git a/ext/standard/tests/image/bug67250.phpt b/ext/standard/tests/image/bug67250.phpt
new file mode 100644
index 0000000..607de9f
--- /dev/null
+++ b/ext/standard/tests/image/bug67250.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #67250 (iptcparse out-of-bounds read)
+--FILE--
+<?php
+var_dump(iptcparse("\x1C\x02_\x80___"));
+?>
+--EXPECT--
+bool(false)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 10:01:26 2024 UTC