- Fixed information leak in ext exif (discovered by Martin Noga, Matthew "j00ru" Jurczyk, Gynvael Coldwind)

author: Felipe Pena <felipensp@gmail.com> 2012-06-03 15:23:07 -0300
committer: Felipe Pena <felipensp@gmail.com> 2012-06-03 15:23:07 -0300
commit: e59b6dc0ae803d49c3f620818285f98dfb61fd57 (patch)
tree: 31fa30c69fb4dd36bf3b0ef4f4eafe1f25ac1b06
parent: 167e2fd78224887144496cdec2089cd5b2f3312d (diff)
download: php-git-e59b6dc0ae803d49c3f620818285f98dfb61fd57.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 9468c2380b..604010b039 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3278,7 +3278,7 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
 	if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
 		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
 		if (length > 2+l1+1) {
-			l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1);
+			l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
 			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
 		}
 	}
@@ -3428,6 +3428,10 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC)
 			case M_SOF13:
 			case M_SOF14:
 			case M_SOF15:
+				if ((itemlen - 2) < 6) {
+					return FALSE;
+				}
+		
 				exif_process_SOFn(Data, marker, &sof_info);
 				ImageInfo->Width  = sof_info.width;
 				ImageInfo->Height = sof_info.height;
author	Felipe Pena <felipensp@gmail.com>	2012-06-03 15:23:07 -0300
committer	Felipe Pena <felipensp@gmail.com>	2012-06-03 15:23:07 -0300
commit	e59b6dc0ae803d49c3f620818285f98dfb61fd57 (patch)
tree	31fa30c69fb4dd36bf3b0ef4f4eafe1f25ac1b06
parent	167e2fd78224887144496cdec2089cd5b2f3312d (diff)
download	php-git-e59b6dc0ae803d49c3f620818285f98dfb61fd57.tar.gz