[Pkg-php-commits] [php/debian-squeeze] Fix incorrect cast on 64-bit platforms in exif.c (CVE-2011-0708)

Sat May 14 09:35:41 UTC 2011

---
 debian/patches/CVE-2011-0708.patch |   77 ++++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 78 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2011-0708.patch

diff --git a/debian/patches/CVE-2011-0708.patch b/debian/patches/CVE-2011-0708.patch
new file mode 100644
index 0000000..94ea796
--- /dev/null
+++ b/debian/patches/CVE-2011-0708.patch
@@ -0,0 +1,77 @@
+--- /dev/null
++++ b/ext/exif/tests/bug54002.phpt
+@@ -0,0 +1,20 @@
++--TEST--
++Bug #54002 (crash on crafted tag)
++--INI--
++memory_limit=-1
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++exif_read_data(__DIR__ . '/bug54002_1.jpeg');
++exif_read_data(__DIR__ . '/bug54002_2.jpeg');
++
++?>
++--EXPECTF--
++Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(8) in %sbug54002.php on line %d
++
++Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
++
++Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count(8) in %sbug54002.php on line %d
++
++Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -40,6 +40,10 @@
+ #include "php.h"
+ #include "ext/standard/file.h"
+ 
++#ifdef PHP_WIN32
++include "win32/php_stdint.h"
++#endif
++
+ #if HAVE_EXIF
+ 
+ /* When EXIF_DEBUG is defined the module generates a lot of debug messages
+@@ -2821,6 +2825,7 @@ static int exif_process_IFD_TAG(image_in
+ 	int tag, format, components;
+ 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ 	size_t byte_count, offset_val, fpos, fgot;
++	int64_t byte_count_signed;
+ 	xp_field_type *tmp_xp;
+ #ifdef EXIF_DEBUG
+ 	char *dump_data;
+@@ -2845,13 +2850,20 @@ static int exif_process_IFD_TAG(image_in
+ 		/*return TRUE;*/
+ 	}
+ 
+-	byte_count = components * php_tiff_bytes_per_format[format];
++	if (components < 0) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
++		return FALSE;
++	}
++
++	byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
+ 
+-	if ((ssize_t)byte_count < 0) {
++	if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+ 		return FALSE;
+ 	}
+ 
++	byte_count = (size_t)byte_count_signed;
++
+ 	if (byte_count > 4) {
+ 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
+@@ -2916,6 +2928,7 @@ static int exif_process_IFD_TAG(image_in
+ 		efree(dump_data);
+ 	}
+ #endif
++
+ 	if (section_index==SECTION_THUMBNAIL) {
+ 		if (!ImageInfo->Thumbnail.data) {
+ 			switch(tag) {
+Binary files /dev/null and b/ext/exif/tests/bug54002_1.jpeg differ
+Binary files /dev/null and b/ext/exif/tests/bug54002_2.jpeg differ
diff --git a/debian/patches/series b/debian/patches/series
index e5ae765..15eb5f2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -90,3 +90,4 @@ fix-segfault-when-node-is-NULL-in-simplexml.patch
 fix-sqlite3-columnName-segfaults-on-bad-column_number.patch
 CVE-2011-0421.patch
 CVE-2011-1153.patch
+CVE-2011-0708.patch
-- 
1.7.1



