1 |
commit: 61e682ea2f4a7084235b814159f1db1b23878abe |
2 |
Author: Brian Evans <grknight <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu May 2 12:53:54 2019 +0000 |
4 |
Commit: Brian Evans <grknight <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 2 12:53:54 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/php-patches.git/commit/?id=61e682ea |
7 |
|
8 |
Add backports from php 7.1.29 |
9 |
|
10 |
Signed-off-by: Brian Evans <grknight <AT> gentoo.org> |
11 |
|
12 |
00170_May2019-backports.patch | 52 ++++++++++++++++++++++++++++++++++++++++++ |
13 |
bug77950.tiff | Bin 0 -> 1267 bytes |
14 |
2 files changed, 52 insertions(+) |
15 |
|
16 |
diff --git a/00170_May2019-backports.patch b/00170_May2019-backports.patch |
17 |
new file mode 100644 |
18 |
index 0000000..463768f |
19 |
--- /dev/null |
20 |
+++ b/00170_May2019-backports.patch |
21 |
@@ -0,0 +1,52 @@ |
22 |
+From 7cbf6a0ca98a187be1b31b1e85935319430d9e61 Mon Sep 17 00:00:00 2001 |
23 |
+From: Stanislav Malyshev <stas@×××.net> |
24 |
+Date: Mon, 29 Apr 2019 23:38:12 -0700 |
25 |
+Subject: [PATCH] Fix bug #77950 - Heap-buffer-overflow in _estrndup via |
26 |
+ exif_process_IFD_TAG |
27 |
+ |
28 |
+I do not completely understand what is going on there, but I am pretty |
29 |
+sure dir_entry <= offset_base if not a normal situation, so we better not |
30 |
+to rely on such dir_entry. |
31 |
+ |
32 |
+(cherry picked from commit f80ad18afae2230c2c1802c7d829100af646874e) |
33 |
+--- |
34 |
+ NEWS | 12 ++++++++++-- |
35 |
+ ext/exif/exif.c | 2 +- |
36 |
+ ext/exif/tests/bug77950.phpt | 12 ++++++++++++ |
37 |
+ ext/exif/tests/bug77950.tiff | Bin 0 -> 1267 bytes |
38 |
+ 4 files changed, 23 insertions(+), 3 deletions(-) |
39 |
+ create mode 100644 ext/exif/tests/bug77950.phpt |
40 |
+ create mode 100644 ext/exif/tests/bug77950.tiff |
41 |
+ |
42 |
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c |
43 |
+index 81cf438a8e..15e091b6c5 100644 |
44 |
+--- a/ext/exif/exif.c |
45 |
++++ b/ext/exif/exif.c |
46 |
+@@ -2901,7 +2901,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha |
47 |
+ offset_base is ImageInfo->file.list[sn].data-dir_offset |
48 |
+ dir_entry - offset_base is dir_offset+2+i*12 |
49 |
+ */ |
50 |
+- if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { |
51 |
++ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) { |
52 |
+ /* It is important to check for IMAGE_FILETYPE_TIFF |
53 |
+ * JPEG does not use absolute pointers instead its pointers are |
54 |
+ * relative to the start of the TIFF header in APP1 section. */ |
55 |
+diff --git a/ext/exif/tests/bug77950.phpt b/ext/exif/tests/bug77950.phpt |
56 |
+new file mode 100644 |
57 |
+index 0000000000..dc0f3549cb |
58 |
+--- /dev/null |
59 |
++++ b/ext/exif/tests/bug77950.phpt |
60 |
+@@ -0,0 +1,12 @@ |
61 |
++--TEST-- |
62 |
++Bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG) |
63 |
++--SKIPIF-- |
64 |
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> |
65 |
++--FILE-- |
66 |
++<?php |
67 |
++exif_read_data(__DIR__."/bug77950.tiff"); |
68 |
++?> |
69 |
++DONE |
70 |
++--EXPECTF-- |
71 |
++%A |
72 |
++DONE |
73 |
+\ No newline at end of file |
74 |
|
75 |
diff --git a/bug77950.tiff b/bug77950.tiff |
76 |
new file mode 100644 |
77 |
index 0000000..5c8250a |
78 |
Binary files /dev/null and b/bug77950.tiff differ |