49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 16 Dec 2019 01:14:38 -0800
|
|
Subject: [PATCH] Fix bug #78793
|
|
|
|
---
|
|
ext/exif/exif.c | 5 +++--
|
|
ext/exif/tests/bug78793.phpt | 12 ++++++++++++
|
|
2 files changed, 15 insertions(+), 2 deletions(-)
|
|
create mode 100644 ext/exif/tests/bug78793.phpt
|
|
|
|
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
|
|
index c0be05922f..7fe055f381 100644
|
|
--- a/ext/exif/exif.c
|
|
+++ b/ext/exif/exif.c
|
|
@@ -3235,8 +3235,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
|
|
}
|
|
|
|
for (de=0;de<NumDirEntries;de++) {
|
|
- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
|
|
- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
|
|
+ size_t offset = 2 + 12 * de;
|
|
+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
|
|
+ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
|
|
new file mode 100644
|
|
index 0000000000..033f255ace
|
|
--- /dev/null
|
|
+++ b/ext/exif/tests/bug78793.phpt
|
|
@@ -0,0 +1,12 @@
|
|
+--TEST--
|
|
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
|
|
+--FILE--
|
|
+<?php
|
|
+$f = "ext/exif/tests/bug77950.tiff";
|
|
+for ($i = 0; $i < 10; $i++) {
|
|
+ @exif_read_data($f);
|
|
+}
|
|
+?>
|
|
+===DONE===
|
|
+--EXPECT--
|
|
+===DONE===
|
|
--
|
|
2.19.1
|
|
|