Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71076 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55051 invoked from network); 12 Jan 2014 03:23:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Jan 2014 03:23:57 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com Received: from [209.85.217.173] ([209.85.217.173:37037] helo=mail-lb0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/03-36150-CCA02D25 for ; Sat, 11 Jan 2014 22:23:56 -0500 Received: by mail-lb0-f173.google.com with SMTP id y6so2539335lbh.4 for ; Sat, 11 Jan 2014 19:23:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=I8CXl4K/yxcYgag5m5qbR+G1FkYaPi1U9puI/pmFZqY=; b=xtkCuW21d4eWf8ozV1l2h8eX6sU6P0LI6qrSIX/q81Ac/4eLXmBtjbxPC4fHuzMhJn UYXHGm1UKRN0uPYnGLVc0D9R+KIQAZbWbl/tJwyx6A0iv9hHblUBwetml+Wl6yw1aHR9 8Ke0ek1Toy6oLXQeYb5HCM0TbW94jbeXvcRvvmLTUF2RrhpMUKej8F3O25rlQDkNaO/h 3/djpSw+vd1nf8vLFqCpV19eZ9oH+Caw1GoGBwzsI2FldDEE+kfFwisdDK5rm41vu4ls j0Nq8qCzC1iXpjDJ7+U0dIJxxiygLtBQ6ppk7GOX1rc1tbm5pDWaNw+AWdQs94UEB8f/ ssaQ== X-Received: by 10.152.36.101 with SMTP id p5mr720660laj.67.1389497033266; Sat, 11 Jan 2014 19:23:53 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.6.68 with HTTP; Sat, 11 Jan 2014 19:23:13 -0800 (PST) In-Reply-To: References: Date: Sun, 12 Jan 2014 12:23:13 +0900 X-Google-Sender-Auth: _VuQ0dwbBDm_17dDUeRH9SSBj7c Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0158b5bc159cb204efbd7d9d Subject: Re: exif int overflow patch is not applied to 5.3? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0158b5bc159cb204efbd7d9d Content-Type: text/plain; charset=UTF-8 Hi all, On Sun, Jan 12, 2014 at 8:17 AM, Yasuo Ohgaki wrote: > Hi all, > > 5.4.24/5.5.8 have this patch > > diff --git a/ext/exif/exif.c b/ext/exif/exif.c > index 2fe54f7..c531d8d 100644 > --- a/ext/exif/exif.c > +++ b/ext/exif/exif.c > @@ -2852,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type > *ImageInfo, char *dir_entry, cha > offset_val = php_ifd_get32u(dir_entry+8, > ImageInfo->motorola_intel); > /* If its bigger than 4 bytes, the dir entry contains an > offset. */ > value_ptr = offset_base+offset_val; > - if (byte_count > IFDlength || offset_val > > IFDlength-byte_count || value_ptr < dir_entry) { > + /* > + dir_entry is ImageInfo->file.list[sn].data+2+i*12 > + offset_base is ImageInfo->file.list[sn].data-dir_offset > + dir_entry - offset_base is dir_offset+2+i*12 > + */ > + if (byte_count > IFDlength || offset_val > > IFDlength-byte_count || value_ptr < dir_entry || offset_val < > (size_t)(dir_entry-offset_base)) > /* It is important to check for IMAGE_FILETYPE_TIFF > * JPEG does not use absolute pointers instead its > pointers are > * relative to the start of the TIFF header in > APP1 section. */ > > > https://bugs.php.net/bug.php?id=65873 > > Is this applicable to 5.3, isn't this? > I don't understand details of this patch, but it sounds this > is required fix for 5.3. > > Could anyone give clarification? > > Thank you. > It seems this has been fixed as CVE 2011-4566 partially. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4566 I suppose this is fix for the fix. Any comments? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0158b5bc159cb204efbd7d9d--