php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch fix-71630.patch for EXIF related Bug #76130Patch version 2018-03-27 17:02 UTC Return to Bug #76130 | Download this patchThis patch renders other patches obsolete Obsolete patches: Patch Revisions:Developer: cmb@php.netFrom 7260c9bb253f0b53ba4e4bb7dd788d69cc3ee3b5 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" <cmbecker69@gmx.de> Date: Tue, 27 Mar 2018 18:42:55 +0200 Subject: [PATCH] Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value The MakerNote is not necessarily null-terminated, so we must not use `strlen()` to avoid OOB reads. Instead `php_strnlen()` is the proper way to handle this. --- ext/exif/exif.c | 2 +- ext/exif/tests/bug76130.phpt | 20 ++++++++++++++++++++ ext/exif/tests/bug76130_1.jpg | Bin 0 -> 3396 bytes ext/exif/tests/bug76130_2.jpg | Bin 0 -> 1632 bytes 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ext/exif/tests/bug76130.phpt create mode 100644 ext/exif/tests/bug76130_1.jpg create mode 100644 ext/exif/tests/bug76130_2.jpg diff --git a/ext/exif/exif.c b/ext/exif/exif.c index d1155de93f..da943f52a7 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2090,7 +2090,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c case TAG_FMT_UNDEFINED: if (value) { if (tag == TAG_MAKER_NOTE) { - length = MIN(length, strlen(value)); + length = (int) php_strnlen(value, length); } /* do not recompute length here */ diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt new file mode 100644 index 0000000000..9c826af629 --- /dev/null +++ b/ext/exif/tests/bug76130.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value) +--DESCRIPTION-- +This test is meant to exhibit memory issues with the `-m` option. Since a lot of +notices and warnings are to be expected anyway, we suppress these, since the are +not relevant for this test. +--INI-- +error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE +--SKIPIF-- +<?php +if (!extension_loaded('exif')) die('skip exif extension not available'); +?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug76130_1.jpg'); +exif_read_data(__DIR__ . '/bug76130_2.jpg'); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg new file mode 100644 index 0000000000000000000000000000000000000000..e063e46d22a897f1c7d10d375b672c03146c3350 GIT binary patch literal 3396 zcmex=!+=4+00lhcHE^xSOk-g1^weVDU|?V{U;xX5Sgb${0)vIkhU6Yvu$fTJubBk( nJIpR{V2l!@Aut*OqaiRF0;3@?8UmvsFd71*Aut*OBPRp^q!MLZ literal 0 HcmV?d00001 diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg new file mode 100644 index 0000000000000000000000000000000000000000..a9e79dca5cf029b50c88dc4fea7ebbf8975f411b GIT binary patch literal 1632 zcmebD)MDUZU|`5$sF_sHAOd8`F)}cCF*1SJ|7Wo=Fl4qffrQ1lfy7d#LqKsxhA37B zCK%wD1Xj!7#EB4t$&J#3I0U$;@3w~j|Nm3p)KL>hLtvzbfQ@}YMu7qlXXd4`YG_(3 z*xNB6i{&GUF@9x)12i>oapD>O4>1UGFs3jyFf$4=I0-N^2r~XZ!XOW<1sGUafdm|| SGjK0~R0TzBw-`7W!EyjwF)_*j literal 0 HcmV?d00001 -- 2.14.1.windows.1 |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Thu Nov 07 00:01:29 2024 UTC |