exif int overflow patch is not applied to 5.3?

11 years ago by Yasuo Ohgaki — view source

unread

Hi all,

5.4.24/5.5.8 have this patch

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 2fe54f7..c531d8d 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2852,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type
*ImageInfo, char dir_entry, cha
offset_val = php_ifd_get32u(dir_entry+8,
ImageInfo->motorola_intel);
/ If its bigger than 4 bytes, the dir entry contains an
offset. */
value_ptr = offset_base+offset_val;

          if (byte_count > IFDlength || offset_val >

IFDlength-byte_count || value_ptr < dir_entry) {

```
   /*
```

       dir_entry is ImageInfo->file.list[sn].data+2+i*12

       offset_base is ImageInfo->file.list[sn].data-dir_offset

       dir_entry - offset_base is dir_offset+2+i*12

```
   */
```

          if (byte_count > IFDlength || offset_val >

IFDlength-byte_count || value_ptr < dir_entry || offset_val <
(size_t)(dir_entry-offset_base))
/* It is important to check for IMAGE_FILETYPE_TIFF
* JPEG does not use absolute pointers instead its
pointers are
* relative to the start of the TIFF header in APP1
section. */

https://bugs.php.net/bug.php?id=65873

Is this applicable to 5.3, isn't this?
I don't understand details of this patch, but it sounds this
is required fix for 5.3.

Could anyone give clarification?

Thank you.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

11 years ago by Yasuo Ohgaki — view source

unread

Hi all,

Hi all,

5.4.24/5.5.8 have this patch

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 2fe54f7..c531d8d 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2852,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type
*ImageInfo, char dir_entry, cha
offset_val = php_ifd_get32u(dir_entry+8,
ImageInfo->motorola_intel);
/ If its bigger than 4 bytes, the dir entry contains an
offset. */
value_ptr = offset_base+offset_val;
          if (byte_count > IFDlength || offset_val >
IFDlength-byte_count || value_ptr < dir_entry) {
   /*
       dir_entry is ImageInfo->file.list[sn].data+2+i*12
       offset_base is ImageInfo->file.list[sn].data-dir_offset
       dir_entry - offset_base is dir_offset+2+i*12
   */
          if (byte_count > IFDlength || offset_val >
IFDlength-byte_count || value_ptr < dir_entry || offset_val <
(size_t)(dir_entry-offset_base))
/* It is important to check for IMAGE_FILETYPE_TIFF
* JPEG does not use absolute pointers instead its
pointers are
* relative to the start of the TIFF header in
APP1 section. */

https://bugs.php.net/bug.php?id=65873

Is this applicable to 5.3, isn't this?
I don't understand details of this patch, but it sounds this
is required fix for 5.3.

Could anyone give clarification?

Thank you.

It seems this has been fixed as CVE 2011-4566 partially.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4566

I suppose this is fix for the fix.
Any comments?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net