Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
php5.14088
php-CVE-2019-11035.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2019-11035.patch of Package php5.14088
X-Git-Url: http://208.43.231.11:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=408bf03d3ec6c2c6d41ec4217f5a12e985f42cb5;hp=0b5bb5ae2123989a28b2112ab5506777083ad9d5;hb=887a7b571407f7a49a5e7cf1e612d21ef83fedb4;hpb=c684d32fb877aa7335842e8b9e7506ef51620e1a Index: php-5.5.14/ext/exif/exif.c =================================================================== --- php-5.5.14.orig/ext/exif/exif.c 2019-04-29 12:21:04.172019616 +0200 +++ php-5.5.14/ext/exif/exif.c 2019-04-29 12:33:31.960329033 +0200 @@ -1670,10 +1670,10 @@ static int exif_file_sections_free(image /* {{{ exif_iif_add_value Add a value to image_info */ -static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel TSRMLS_DC) +static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel TSRMLS_DC) { size_t idex; - void *vptr; + void *vptr, *vptr_end; image_info_value *info_value; image_info_data *info_data; image_info_data *list; @@ -1695,8 +1695,12 @@ static void exif_iif_add_value(image_inf switch (format) { case TAG_FMT_STRING: + if (length > value_len) { + exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); + value = NULL; + } if (value) { - length = php_strnlen(value, length); + length = (int)php_strnlen(value, length); info_value->s = estrndup(value, length); info_data->length = length; } else { @@ -1718,6 +1722,10 @@ static void exif_iif_add_value(image_inf if (!length) break; case TAG_FMT_UNDEFINED: + if (length > value_len) { + exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); + value = NULL; + } if (value) { /* do not recompute length here */ info_value->s = estrndup(value, length); @@ -1744,7 +1752,12 @@ static void exif_iif_add_value(image_inf } else { info_value = &info_data->value; } + vptr_end = (char*)value+value_len; for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { + if ((char*)vptr_end - (char*)vptr < php_tiff_bytes_per_format[format]) { + exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); + break; + } if (length>1) { info_value = &info_data->value.list[idex]; } @@ -1780,7 +1793,7 @@ static void exif_iif_add_value(image_inf php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type single"); #endif info_value->f = *(float *)value; - + break; case TAG_FMT_DOUBLE: #ifdef EXIF_DEBUG php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type double"); @@ -1798,9 +1811,9 @@ static void exif_iif_add_value(image_inf /* {{{ exif_iif_add_tag Add a tag from IFD to image_info */ -static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC) +static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC, size_t value_len) { - exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel TSRMLS_CC); + exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel TSRMLS_CC); } /* }}} */ @@ -2224,7 +2237,7 @@ static void add_assoc_image_info(zval *v */ static void exif_process_COM (image_info_type *image_info, char *value, size_t length TSRMLS_DC) { - exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC); + exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC, length-2); } /* }}} */ @@ -2239,17 +2252,17 @@ static void exif_process_CME (image_info if (length>3) { switch(value[2]) { case 0: - exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC); + exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC, length); break; case 1: - exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value); + exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length); break; default: php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Undefined JPEG2000 comment encoding"); break; } } else { - exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL); + exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0); php_error_docref(NULL TSRMLS_CC, E_NOTICE, "JPEG2000 comment section too small"); } } @@ -2833,7 +2846,7 @@ static int exif_process_IFD_in_MAKERNOTE static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table TSRMLS_DC) { size_t length; - int tag, format, components; + unsigned int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; int64_t byte_count_signed; @@ -3144,7 +3157,7 @@ static int exif_process_IFD_TAG(image_in } } } - exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC); + exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC, byte_count); EFREE_IF(outside); return TRUE; } @@ -3302,10 +3315,10 @@ static void exif_process_APP12(image_inf size_t l1, l2=0; if ((l1 = php_strnlen(buffer+2, length-2)) > 0) { - exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC); + exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC, l1); if (length > 2+l1+1) { l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1); - exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC); + exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC, l2); } } #ifdef EXIF_DEBUG @@ -4096,7 +4109,7 @@ PHP_FUNCTION(exif_read_data) if (ImageInfo.Thumbnail.size) { if (read_thumbnail) { /* not exif_iif_add_str : this is a buffer */ - exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC); + exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC, ImageInfo.Thumbnail.size); } if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { /* try to evaluate if thumbnail data is present */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor