52 lines
1.7 KiB
Diff
52 lines
1.7 KiB
Diff
From 99b7ef940e04cd273d03c5fa93bf182db2d7ce8d Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Sun, 7 Jul 2019 17:39:59 -0700
|
|
Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
|
|
exif_process_user_comment)
|
|
|
|
---
|
|
ext/exif/exif.c | 4 ++--
|
|
ext/exif/tests/bug78256.phpt | 11 +++++++++++
|
|
2 files changed, 13 insertions(+), 2 deletions(-)
|
|
create mode 100644 ext/exif/tests/bug78256.phpt
|
|
|
|
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
|
|
index 77a11300..a80f2c2a 100644
|
|
--- a/ext/exif/exif.c
|
|
+++ b/ext/exif/exif.c
|
|
@@ -3040,11 +3040,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
|
|
/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
|
|
* since we have no encoding support for the BOM yet we skip that.
|
|
*/
|
|
- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
|
|
+ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
|
|
decode = "UCS-2BE";
|
|
szValuePtr = szValuePtr+2;
|
|
ByteCount -= 2;
|
|
- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
|
|
+ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
|
|
decode = "UCS-2LE";
|
|
szValuePtr = szValuePtr+2;
|
|
ByteCount -= 2;
|
|
diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt
|
|
new file mode 100644
|
|
index 00000000..37a3f1d8
|
|
--- /dev/null
|
|
+++ b/ext/exif/tests/bug78256.phpt
|
|
@@ -0,0 +1,11 @@
|
|
+--TEST--
|
|
+Bug #78256 (heap-buffer-overflow on exif_process_user_comment)
|
|
+--SKIPIF--
|
|
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
|
|
+--FILE--
|
|
+<?php
|
|
+@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE);
|
|
+?>
|
|
+DONE
|
|
+--EXPECTF--
|
|
+DONE
|
|
\ No newline at end of file
|
|
--
|
|
2.21.0
|
|
|