Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)

smalyshev · cmb69 · commit f22101c83086 · 2019-07-30T09:11:53.000+02:00
(cherry picked from commit dea2989)
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.8
 
+- EXIF:
+  . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
+    (CVE-2019-11041) (Stas)
+
 - OPcache:
   . Fixed bug #78341 (Failure to detect smart branch in DFA pass). (Nikita)
 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -3892,7 +3892,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
 	size_t          length=2, pos=0;
 	jpeg_sof_info   sof_info;
 
-	if (!data) {
+	if (!data || ImageInfo->Thumbnail.size < 4) {
 		return FALSE; /* nothing to do here */
 	}
 	if (memcmp(data, "\xFF\xD8\xFF", 3)) {
diff --git a/ext/exif/tests/bug78222.jpg b/ext/exif/tests/bug78222.jpg
diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -3892,7 +3892,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)`
`3892`	`3892`	`size_t length=2, pos=0;`
`3893`	`3893`	`jpeg_sof_info sof_info;`
`3894`	`3894`
`3895`		`- if (!data) {`
	`3895`	`+ if (!data \|\| ImageInfo->Thumbnail.size < 4) {`
`3896`	`3896`	`return FALSE; /* nothing to do here */`
`3897`	`3897`	`}`
`3898`	`3898`	`if (memcmp(data, "\xFF\xD8\xFF", 3)) {`