sesser Wed Mar 2 13:21:46 2005 EDT Modified files: /php-src/ext/exif exif.c Log: Fixed possible bufferoverflow http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.169&r2=1.170&ty=u Index: php-src/ext/exif/exif.c diff -u php-src/ext/exif/exif.c:1.169 php-src/ext/exif/exif.c:1.170 --- php-src/ext/exif/exif.c:1.169 Wed Feb 16 18:47:38 2005 +++ php-src/ext/exif/exif.c Wed Mar 2 13:21:45 2005 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: exif.c,v 1.169 2005/02/16 23:47:38 sniper Exp $ */ +/* $Id: exif.c,v 1.170 2005/03/02 18:21:45 sesser Exp $ */ /* ToDos * @@ -112,7 +112,7 @@ }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: exif.c,v 1.169 2005/02/16 23:47:38 sniper Exp $" +#define EXIF_VERSION "1.4 $Id: exif.c,v 1.170 2005/03/02 18:21:45 sesser Exp $" /* {{{ PHP_MINFO_FUNCTION */ @@ -2733,6 +2733,11 @@ byte_count = components * php_tiff_bytes_per_format[format]; + if ((ssize_t)byte_count < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php