Skip to content

Commit dbccc8c

Browse files
pierrejoyepierrejoye
committed
- fix bug #54002, exif_read_data crashes on crafted tags
1 parent b84967d commit dbccc8c

4 files changed

Lines changed: 34 additions & 2 deletions

File tree

ext/exif/exif.c

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,10 @@
4040
#include "php.h"
4141
#include "ext/standard/file.h"
4242

43+
#ifdef PHP_WIN32
44+
include "win32/php_stdint.h"
45+
#endif
46+
4347
#if HAVE_EXIF
4448

4549
/* When EXIF_DEBUG is defined the module generates a lot of debug messages
@@ -2817,6 +2821,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
28172821
int tag, format, components;
28182822
char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
28192823
size_t byte_count, offset_val, fpos, fgot;
2824+
int64_t byte_count_signed;
28202825
xp_field_type *tmp_xp;
28212826
#ifdef EXIF_DEBUG
28222827
char *dump_data;
@@ -2841,13 +2846,19 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
28412846
/*return TRUE;*/
28422847
}
28432848

2844-
byte_count = components * php_tiff_bytes_per_format[format];
2849+
if (components < 0) {
2850+
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
2851+
return FALSE;
2852+
}
2853+
byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
28452854

2846-
if ((ssize_t)byte_count < 0) {
2855+
if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
28472856
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
28482857
return FALSE;
28492858
}
28502859

2860+
byte_count = (size_t)byte_count_signed;
2861+
28512862
if (byte_count > 4) {
28522863
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
28532864
/* If its bigger than 4 bytes, the dir entry contains an offset. */
@@ -2912,6 +2923,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
29122923
efree(dump_data);
29132924
}
29142925
#endif
2926+
29152927
if (section_index==SECTION_THUMBNAIL) {
29162928
if (!ImageInfo->Thumbnail.data) {
29172929
switch(tag) {

ext/exif/tests/bug54002.phpt

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
--TEST--
2+
Bug #54002 (crash on crafted tag)
3+
--INI--
4+
memory_limit=-1
5+
--SKIPIF--
6+
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
7+
--FILE--
8+
<?php
9+
exif_read_data(__DIR__ . '/bug54002_1.jpeg');
10+
exif_read_data(__DIR__ . '/bug54002_2.jpeg');
11+
12+
?>
13+
--EXPECTF--
14+
Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(%d) in %sbug54002.php on line %d
15+
16+
Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
17+
18+
Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(%d) in %sbug54002.php on line %d
19+
20+
Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d

ext/exif/tests/bug54002_1.jpeg

85.5 KB
Loading

ext/exif/tests/bug54002_2.jpeg

85.5 KB
Loading

0 commit comments

Comments
 (0)