php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix OSS-Fuzz #442954659: zero-size box in HEIF file causes infinite loop (#19724)

Browse Source 
If the box size is 0, the loop can't progress.
This commit is contained in:
Niels Dossche
2025-09-12 09:28:43 +02:00
committed by GitHub
parent 3e9caf5338
commit 1d131f859f
4 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -8,6 +8,10 @@ PHP NEWS
. The __sleep() and __wakeup() magic methods have been deprecated. (Girgias)
. Fixed hard_timeout with --enable-zend-max-execution-timers. (Appla)
- Exif:
. Fix OSS-Fuzz #442954659 (zero-size box in HEIF file causes infinite loop).
(nielsdos)
- Opcache:
. Fixed bug GH-19669 (assertion failure in zend_jit_trace_type_to_info_ex).
(Arnaud)

10
ext/exif/exif.c
View File

@@ -4291,6 +4291,7 @@ static bool exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offs
return result;
}
/* Returns the size of the header, which must be smaller than the size of the box. */
static int exif_isobmff_parse_box(unsigned char *buf, isobmff_box_type *box)
{
box->size = php_ifd_get32u(buf, 1);
@@ -4312,6 +4313,9 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
for (box_offset = data + 4; box_offset + 16 < end; box_offset += box.size) {
header_size = exif_isobmff_parse_box(box_offset, &box);
if (box.size < header_size) {
return;
}
if (box.type == FOURCC("iinf")) {
p = box_offset + header_size;
if (p >= end) {
@@ -4334,6 +4338,9 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
}
for (i = 0; i < item_count && p + 20 < end; i++) {
header_size = exif_isobmff_parse_box(p, &item);
if (item.size < header_size) {
return;
}
if (p + header_size + 12 >= end) {
return;
}
@@ -4396,6 +4403,9 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
break;
}
box_header_size = exif_isobmff_parse_box(buf, &box);
if (box.size < box_header_size) {
break;
}
if (box.type == FOURCC("meta")) {
limit = box.size - box_header_size;
if (limit < 36) {

BIN
ext/exif/tests/oss_fuzz_442954659/input Normal file
View File

Binary file not shown.

10
ext/exif/tests/oss_fuzz_442954659/oss_fuzz_442954659.phpt Normal file
View File

@@ -0,0 +1,10 @@
--TEST--
OSS-Fuzz #442954659 (zero-size box in HEIF file causes infinite loop)
--EXTENSIONS--
exif
--FILE--
<?php
exif_read_data(__DIR__."/input");
?>
--EXPECTF--
Warning: exif_read_data(%s): Invalid HEIF file in %s on line %d