Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70101
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38695 invoked from network); 12 Nov 2013 05:19:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Nov 2013 05:19:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.192.174 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.192.174 mail-pd0-f174.google.com  
Received: from [209.85.192.174] ([209.85.192.174:57880] helo=mail-pd0-f174.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 36/00-38442-07AB1825 for <internals@lists.php.net>; Tue, 12 Nov 2013 00:19:44 -0500
Received: by mail-pd0-f174.google.com with SMTP id z10so6357722pdj.19
        for <internals@lists.php.net>; Mon, 11 Nov 2013 21:19:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:references:in-reply-to:content-type
         :content-transfer-encoding;
        bh=bGsIUQm8k4CuBWHON/bDz2MPJMrz8a+J0SVYOjvTuuw=;
        b=Hn118sY79+pZjiztGD8Cn9ZogLtle+MoVoA6pFUJ5h6QGG7+EzqKCsWi11s6MH+dFS
         n/bwZme0ckVpSaq80ktN1Diq56iD0pl3fsYtY5LBX60tEV76WzwAGfWduABdqZfC42a7
         S0e5+xF3L4r/dA2DlmKnmFgFAUY1OueolilvxoVC/7VbAwsiHiWdUi5MPTU9IN/8r24S
         xlBFxlLFgvR6FMzA22WuUMNcuzjAP/UAYwmXLi4SINIfzU0An3ZsQU9kvnVweKofEjS2
         P5/i5pGHX46j8rSQLwKv6O8c2T2bUTMotq/8xKqWpRRTgAnK/s4FzEnBZXlK2gyAeRNO
         dhMw==
X-Gm-Message-State: ALoCoQkzp4jU0/XHkldFQvjRWGEkORD+sQgSI4JR/IeplhwsarADR5lxwylKR2/lRf0tCzgDEtCY
X-Received: by 10.67.23.164 with SMTP id ib4mr34949050pad.42.1384233581604;
        Mon, 11 Nov 2013 21:19:41 -0800 (PST)
Received: from [192.168.200.14] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPSA id j9sm40649075paj.18.2013.11.11.21.19.40
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Mon, 11 Nov 2013 21:19:40 -0800 (PST)
Message-ID: <5281BA6B.6040403@lerdorf.com>
Date: Mon, 11 Nov 2013 21:19:39 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Tim Starling <tstarling@wikimedia.org>, 
 internals Mailing List <internals@lists.php.net>
References: <5281AE1C.4040108@wikimedia.org>
In-Reply-To: <5281AE1C.4040108@wikimedia.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] EXIF integer overflow again
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 11/11/2013 08:27 PM, Tim Starling wrote:
> Hi,
> 
> I just wanted to plug https://bugs.php.net/bug.php?id=65873 , since
> it's been a month since I filed it and I've only had silence in
> response, despite sending a private email to Stas about it.
> 
> Sam Reed has reproduced this crash with two different PHP builds, with
> no special configuration. CVE-2011-4566 (bug 60150) was from the same
> line of code, which is kind of ridiculous. It'd be nice if someone
> could have a closer look at the extension as a whole this time around,
> maybe get rid of those offset_base pointers, rather than just doing a
> one-line patch.

I think you just volunteered.

-Rasmus