Fix bug #67250 (iptcparse out-of-bounds read)

2026-04-03 14:12:38 +02:00 · 2014-05-11 19:09:19 -07:00
parent 84605098bc
commit d4b67896ec
2 changed files with 11 additions and 0 deletions
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -335,6 +335,9 @@ PHP_FUNCTION(iptcparse)
 		recnum = buffer[ inx++ ];

 		if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */
+            if((inx+6) >= str_len) {
+                break;
+            }
 			len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + 
 				  (((long) buffer[ inx + 4 ]) <<  8) + (((long) buffer[ inx + 5 ]));
 			inx += 6;
--- a/ext/standard/tests/image/bug67250.phpt
+++ b/ext/standard/tests/image/bug67250.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #67250 (iptcparse out-of-bounds read)
+--FILE--
+<?php
+var_dump(iptcparse("\x1C\x02_\x80___"));
+?>
+--EXPECT--
+bool(false)