]> git.pld-linux.org Git - packages/php.git/blob - php-5.2.17-CVE-2011-0708.patch
projects / packages / php.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
use /usr/sbin/php-fpm as other branches
[packages/php.git] / php-5.2.17-CVE-2011-0708.patch
1 --- PHP_5_3/ext/exif/exif.c     2011/02/14 08:46:53     308315
2 +++ PHP_5_3/ext/exif/exif.c     2011/02/14 09:08:44     308316
3 @@ -40,6 +40,10 @@
4  #include "php.h"
5  #include "ext/standard/file.h"
6  
7 +#ifdef PHP_WIN32
8 +include "win32/php_stdint.h"
9 +#endif
10 +
11  #if HAVE_EXIF
12  
13  /* When EXIF_DEBUG is defined the module generates a lot of debug messages
14 @@ -2821,6 +2825,7 @@
15         int tag, format, components;
16         char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
17         size_t byte_count, offset_val, fpos, fgot;
18 +       int64_t byte_count_signed;
19         xp_field_type *tmp_xp;
20  #ifdef EXIF_DEBUG
21         char *dump_data;
22 @@ -2845,13 +2850,20 @@
23                 /*return TRUE;*/
24         }
25  
26 -       byte_count = components * php_tiff_bytes_per_format[format];
27 +       if (components < 0) {
28 +               exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
29 +               return FALSE;
30 +       }
31 +
32 +       byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
33  
34 -       if ((ssize_t)byte_count < 0) {
35 +       if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
36                 exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
37                 return FALSE;
38         }
39  
40 +       byte_count = (size_t)byte_count_signed;
41 +
42         if (byte_count > 4) {
43                 offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
44                 /* If its bigger than 4 bytes, the dir entry contains an offset. */
45 @@ -2916,6 +2928,7 @@
46                 efree(dump_data);
47         }
48  #endif
49 +
50         if (section_index==SECTION_THUMBNAIL) {
51                 if (!ImageInfo->Thumbnail.data) {
52                         switch(tag) {
PHP: Hypertext Preprocessor
This page took 0.033237 seconds and 3 git commands to generate.