1
Description: fix denial of service and possible information disclosure
2
via exif integer overflow
3
Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=319535
4
Bug: https://bugs.php.net/bug.php?id=60150
6
Index: php5-5.3.8.0/ext/exif/exif.c
7
===================================================================
8
--- php5-5.3.8.0.orig/ext/exif/exif.c 2011-12-12 15:13:43.006064337 -0500
9
+++ php5-5.3.8.0/ext/exif/exif.c 2011-12-12 15:13:58.910064186 -0500
10
@@ -2874,11 +2874,11 @@
11
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
12
/* If its bigger than 4 bytes, the dir entry contains an offset. */
13
value_ptr = offset_base+offset_val;
14
- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
15
+ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
16
/* It is important to check for IMAGE_FILETYPE_TIFF
17
* JPEG does not use absolute pointers instead its pointers are
18
* relative to the start of the TIFF header in APP1 section. */
19
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
20
+ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
21
if (value_ptr < dir_entry) {
22
/* we can read this if offset_val > 0 */
23
/* some files have their values in other parts of the file */