Skip to content

Commit 3462efa

Browse files
smalyshevsmalyshev
committed
Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data
Use MAKERNOTE length as data size.
1 parent 1baeae4 commit 3462efa

File tree

3 files changed

+83
-1
lines changed

3 files changed

+83
-1
lines changed

ext/exif/exif.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2728,6 +2728,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
27282728
int NumDirEntries, old_motorola_intel, offset_diff;
27292729
const maker_note_type *maker_note;
27302730
char *dir_start;
2731+
int data_len;
27312732

27322733
for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
27332734
if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {
@@ -2782,6 +2783,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
27822783
switch (maker_note->offset_mode) {
27832784
case MN_OFFSET_MAKER:
27842785
offset_base = value_ptr;
2786+
data_len = value_len;
27852787
break;
27862788
case MN_OFFSET_GUESS:
27872789
if (maker_note->offset + 10 + 4 >= value_len) {
@@ -2798,6 +2800,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
27982800
return FALSE;
27992801
}
28002802
offset_base = value_ptr + offset_diff;
2803+
data_len = value_len - offset_diff;
28012804
break;
28022805
default:
28032806
case MN_OFFSET_NORMAL:
@@ -2811,7 +2814,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
28112814

28122815
for (de=0;de<NumDirEntries;de++) {
28132816
if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
2814-
offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) {
2817+
offset_base, data_len, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) {
28152818
return FALSE;
28162819
}
28172820
}

ext/exif/tests/bug76557.jpg

2.32 KB
Loading

ext/exif/tests/bug76557.phpt

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
--TEST--
2+
Bug 76557 (heap-buffer-overflow (READ of size 48) while reading exif data)
3+
--SKIPIF--
4+
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
5+
--FILE--
6+
<?php
7+
var_dump(count(exif_read_data(dirname(__FILE__) . "/bug76557.jpg")));
8+
?>
9+
DONE
10+
--EXPECTF--
11+
Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
12+
13+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
14+
15+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
16+
17+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
18+
19+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
20+
21+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
22+
23+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
24+
25+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
26+
27+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
28+
29+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
30+
31+
Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
32+
33+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
34+
35+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
36+
37+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
38+
39+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
40+
41+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
42+
43+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
44+
45+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
46+
47+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
48+
49+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
50+
51+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
52+
53+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
54+
55+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
56+
57+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
58+
59+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
60+
61+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
62+
63+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
64+
65+
Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
66+
67+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
68+
69+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
70+
71+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
72+
73+
Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
74+
75+
Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
76+
77+
Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d
78+
int(1)
79+
DONE

0 commit comments

Comments
 (0)