sesser Wed Mar 2 13:21:46 2005 EDT
Modified files:
/php-src/ext/exif exif.c
Log:
Fixed possible bufferoverflow
http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.169&r2=1.170&ty=u
Index: php-src/ext/exif/exif.c
diff -u php-src/ext/exif/exif.c:1.169 php-src/ext/exif/exif.c:1.170
--- php-src/ext/exif/exif.c:1.169 Wed Feb 16 18:47:38 2005
+++ php-src/ext/exif/exif.c Wed Mar 2 13:21:45 2005
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: exif.c,v 1.169 2005/02/16 23:47:38 sniper Exp $ */
+/* $Id: exif.c,v 1.170 2005/03/02 18:21:45 sesser Exp $ */
/* ToDos
*
@@ -112,7 +112,7 @@
};
/* }}} */
-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.169 2005/02/16 23:47:38 sniper Exp $"
+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.170 2005/03/02 18:21:45 sesser Exp $"
/* {{{ PHP_MINFO_FUNCTION
*/
@@ -2733,6 +2733,11 @@
byte_count = components * php_tiff_bytes_per_format[format];
+ if ((ssize_t)byte_count < 0) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC,
ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag,
exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+ return FALSE;
+ }
+
if (byte_count > 4) {
offset_val = php_ifd_get32u(dir_entry+8,
ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an
offset. */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
