diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-05-11 19:09:19 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 16:02:52 -0700 |
| commit | d4b67896ecb248796a0493a9d6205b22c7dff4e2 (patch) | |
| tree | 6f87951333d798ef168565198b2ef2d600d1cb33 | |
| parent | 84605098bc81517919ecb43935682fdd8a249f9d (diff) | |
| download | php-git-d4b67896ecb248796a0493a9d6205b22c7dff4e2.tar.gz | |
Fix bug #67250 (iptcparse out-of-bounds read)
| -rw-r--r-- | ext/standard/iptc.c | 3 | ||||
| -rw-r--r-- | ext/standard/tests/image/bug67250.phpt | 8 |
2 files changed, 11 insertions, 0 deletions
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 420111e731..e3190d5633 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -335,6 +335,9 @@ PHP_FUNCTION(iptcparse) recnum = buffer[ inx++ ]; if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */ + if((inx+6) >= str_len) { + break; + } len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + (((long) buffer[ inx + 4 ]) << 8) + (((long) buffer[ inx + 5 ])); inx += 6; diff --git a/ext/standard/tests/image/bug67250.phpt b/ext/standard/tests/image/bug67250.phpt new file mode 100644 index 0000000000..607de9f3b6 --- /dev/null +++ b/ext/standard/tests/image/bug67250.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #67250 (iptcparse out-of-bounds read) +--FILE-- +<?php +var_dump(iptcparse("\x1C\x02_\x80___")); +?> +--EXPECT-- +bool(false) |