Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5: Fix bug #65873 - Integer overflow in exif_read_data()
2026-03-28 18:22:42 +01:00 · 2013-12-16 11:37:29 -08:00
parent 85a10166e1 57408f9c85
commit de4a2c3cbd
1 changed files with 6 additions and 1 deletions
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2842,7 +2842,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
 		value_ptr = offset_base+offset_val;
-		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+        /* 
+            dir_entry is ImageInfo->file.list[sn].data+2+i*12
+            offset_base is ImageInfo->file.list[sn].data-dir_offset 
+            dir_entry - offset_base is dir_offset+2+i*12
+        */
+		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
 			/* It is important to check for IMAGE_FILETYPE_TIFF
 			 * JPEG does not use absolute pointers instead its pointers are
 			 * relative to the start of the TIFF header in APP1 section. */