Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70100 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34840 invoked from network); 12 Nov 2013 04:27:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Nov 2013 04:27:17 -0000 Authentication-Results: pb1.pair.com header.from=tstarling@wikimedia.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tstarling@wikimedia.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain wikimedia.org designates 208.80.152.186 as permitted sender) X-PHP-List-Original-Sender: tstarling@wikimedia.org X-Host-Fingerprint: 208.80.152.186 mchenry.wikimedia.org Received: from [208.80.152.186] ([208.80.152.186:45912] helo=mchenry.wikimedia.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BF/10-33845-22EA1825 for ; Mon, 11 Nov 2013 23:27:15 -0500 Received: from [2620:0:860:2:219:b9ff:fedd:86eb] (port=50990 helo=sanger.wikimedia.org) by mchenry.wikimedia.org with esmtp (Exim 4.69) (envelope-from ) id 1Vg5ZI-0008Du-5S for internals@lists.php.net; Tue, 12 Nov 2013 04:27:12 +0000 Received: from [101.174.128.236] (port=54854 helo=[10.0.0.7]) by sanger.wikimedia.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Vg5ZH-000404-Er for internals@lists.php.net; Tue, 12 Nov 2013 04:27:11 +0000 Message-ID: <5281AE1C.4040108@wikimedia.org> Date: Tue, 12 Nov 2013 15:27:08 +1100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: internals Mailing List X-Enigmail-Version: 1.5.2 OpenPGP: id=BF976370 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: EXIF integer overflow again From: tstarling@wikimedia.org (Tim Starling) Hi, I just wanted to plug https://bugs.php.net/bug.php?id=65873 , since it's been a month since I filed it and I've only had silence in response, despite sending a private email to Stas about it. Sam Reed has reproduced this crash with two different PHP builds, with no special configuration. CVE-2011-4566 (bug 60150) was from the same line of code, which is kind of ridiculous. It'd be nice if someone could have a closer look at the extension as a whole this time around, maybe get rid of those offset_base pointers, rather than just doing a one-line patch. -- Tim Starling