diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-07-29 13:20:44 -0700 | 
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-07-29 13:20:44 -0700 | 
| commit | d69894734d0cc778f9dd7adcd60d9bd27f6af4be (patch) | |
| tree | c9a7a70c6277ee01ea49274b294be4617310d201 /ext/exif/exif.c | |
| parent | 44fe025c2839b9da51c3b0a0ea90382ac9c14fd4 (diff) | |
| parent | 284fb08fdc7465db6ed550b088bc0e7d38ddac4e (diff) | |
| download | php-git-d69894734d0cc778f9dd7adcd60d9bd27f6af4be.tar.gz | |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
  Fix #77919: Potential UAF in Phar RSHUTDOWN
  Update NEWS
  Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
  Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
Diffstat (limited to 'ext/exif/exif.c')
| -rw-r--r-- | ext/exif/exif.c | 6 | 
1 files changed, 3 insertions, 3 deletions
| diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 325711692a..a337775923 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3029,11 +3029,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP  			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)  			 * since we have no encoding support for the BOM yet we skip that.  			 */ -			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { +			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {  				decode = "UCS-2BE";  				szValuePtr = szValuePtr+2;  				ByteCount -= 2; -			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { +			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {  				decode = "UCS-2LE";  				szValuePtr = szValuePtr+2;  				ByteCount -= 2; @@ -3906,7 +3906,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)  	size_t          length=2, pos=0;  	jpeg_sof_info   sof_info; -	if (!data) { +	if (!data || ImageInfo->Thumbnail.size < 4) {  		return FALSE; /* nothing to do here */  	}  	if (memcmp(data, "\xFF\xD8\xFF", 3)) { | 
