[Pkg-php-commits] [php/debian-lenny] CVE-2009-3292: multiple missing checks processing exif image data
Raphael Geissert
geissert at debian.org
Sat Nov 28 23:52:51 UTC 2009
---
debian/patches/CVE-2009-3292.patch | 57 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 58 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/CVE-2009-3292.patch
diff --git a/debian/patches/CVE-2009-3292.patch b/debian/patches/CVE-2009-3292.patch
new file mode 100644
index 0000000..e0ca930
--- /dev/null
+++ b/debian/patches/CVE-2009-3292.patch
@@ -0,0 +1,57 @@
+Index: php/ext/exif/exif.c
+===================================================================
+--- php.orig/ext/exif/exif.c
++++ php/ext/exif/exif.c
+@@ -3247,7 +3247,7 @@ static void exif_process_APP1(image_info
+ {
+ /* Check the APP1 for Exif Identifier Code */
+ static const uchar ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+- if (memcmp(CharBuf+2, ExifHeader, 6)) {
++ if (length <= 8 || memcmp(CharBuf+2, ExifHeader, 6)) {
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Incorrect APP1 Exif Identifier Code");
+ return;
+ }
+@@ -3330,8 +3330,14 @@ static int exif_scan_JPEG_header(image_i
+ }
+
+ /* Read the length of the section. */
+- lh = php_stream_getc(ImageInfo->infile);
+- ll = php_stream_getc(ImageInfo->infile);
++ if ((lh = php_stream_getc(ImageInfo->infile)) == EOF) {
++ EXIF_ERRLOG_CORRUPT(ImageInfo)
++ return FALSE;
++ }
++ if ((ll = php_stream_getc(ImageInfo->infile)) == EOF) {
++ EXIF_ERRLOG_CORRUPT(ImageInfo)
++ return FALSE;
++ }
+
+ itemlen = (lh << 8) | ll;
+
+@@ -3531,6 +3537,10 @@ static int exif_process_IFD_in_TIFF(imag
+ int entry_tag , entry_type;
+ tag_table_type tag_table = exif_get_tag_table(section_index);
+
++ if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
++ return FALSE;
++ }
++
+ if (ImageInfo->FileSize >= dir_offset+2) {
+ sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL);
+ #ifdef EXIF_DEBUG
+@@ -3674,6 +3684,7 @@ static int exif_process_IFD_in_TIFF(imag
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s @x%04X", exif_get_sectionname(sub_section_index), entry_offset);
+ #endif
++ ImageInfo->ifd_nesting_level++;
+ exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC);
+ if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) {
+ if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN
+@@ -3713,6 +3724,7 @@ static int exif_process_IFD_in_TIFF(imag
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) at x%04X", next_offset);
+ #endif
++ ImageInfo->ifd_nesting_level++;
+ exif_process_IFD_in_TIFF(ImageInfo, next_offset, SECTION_THUMBNAIL TSRMLS_CC);
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size);
diff --git a/debian/patches/series b/debian/patches/series
index c14a636..ee2d042 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -57,3 +57,4 @@ CVE-2009-0754.patch
CVE-2009-1271.patch
CVE-2009-2687.patch
CVE-2009-2626.patch
+CVE-2009-3292.patch
--
1.6.3.3
More information about the Pkg-php-commits
mailing list