Re: exif int overflow patch is not applied to 5.3?
Hi all,
On Sun, Jan 12, 2014 at 8:17 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi all,
>
> 5.4.24/5.5.8 have this patch
>
> diff --git a/ext/exif/exif.c b/ext/exif/exif.c
> index 2fe54f7..c531d8d 100644
> --- a/ext/exif/exif.c
> +++ b/ext/exif/exif.c
> @@ -2852,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type
> *ImageInfo, char *dir_entry, cha
> offset_val = php_ifd_get32u(dir_entry+8,
> ImageInfo->motorola_intel);
> /* If its bigger than 4 bytes, the dir entry contains an
> offset. */
> value_ptr = offset_base+offset_val;
> - if (byte_count > IFDlength || offset_val >
> IFDlength-byte_count || value_ptr < dir_entry) {
> + /*
> + dir_entry is ImageInfo->file.list[sn].data+2+i*12
> + offset_base is ImageInfo->file.list[sn].data-dir_offset
> + dir_entry - offset_base is dir_offset+2+i*12
> + */
> + if (byte_count > IFDlength || offset_val >
> IFDlength-byte_count || value_ptr < dir_entry || offset_val <
> (size_t)(dir_entry-offset_base))
> /* It is important to check for IMAGE_FILETYPE_TIFF
> * JPEG does not use absolute pointers instead its
> pointers are
> * relative to the start of the TIFF header in
> APP1 section. */
>
>
> https://bugs.php.net/bug.php?id=65873
>
> Is this applicable to 5.3, isn't this?
> I don't understand details of this patch, but it sounds this
> is required fix for 5.3.
>
> Could anyone give clarification?
>
> Thank you.
>
It seems this has been fixed as CVE 2011-4566 partially.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4566
I suppose this is fix for the fix.
Any comments?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Thread (2 messages)