mirror of
https://github.com/php/php-src.git
synced 2026-03-24 00:02:20 +01:00
6a0da6dc2e
When pos.size is less than 2, the subtraction pos.size - 2 causes an unsigned integer underflow, resulting in a ~4GB allocation attempt. Add minimum size check (pos.size >= 2) to prevent the underflow. Closes GH-20630.
20 lines
554 B
PHP
20 lines
554 B
PHP
--TEST--
|
|
HEIC iloc extent_length underflow
|
|
--EXTENSIONS--
|
|
exif
|
|
--FILE--
|
|
<?php
|
|
// Read valid HEIC file and patch iloc extent_length to 1
|
|
$data = file_get_contents(__DIR__."/image029.heic");
|
|
$data = substr_replace($data, "\x00\x00\x00\x01", 0x4f8, 4);
|
|
file_put_contents(__DIR__."/heic_iloc_underflow.heic", $data);
|
|
var_dump(exif_read_data(__DIR__."/heic_iloc_underflow.heic"));
|
|
?>
|
|
--CLEAN--
|
|
<?php
|
|
@unlink(__DIR__."/heic_iloc_underflow.heic");
|
|
?>
|
|
--EXPECTF--
|
|
Warning: exif_read_data(heic_iloc_underflow.heic): Invalid HEIF file in %s on line %d
|
|
bool(false)
|