1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Index: php5-5.3.3.1/ext/standard/iptc.c
===================================================================
--- php5-5.3.3.1.orig/ext/standard/iptc.c 2016-02-27 12:13:05.000000000 +0100
+++ php5-5.3.3.1/ext/standard/iptc.c 2016-02-27 12:13:35.000000000 +0100
@@ -38,6 +38,10 @@
#include <sys/stat.h>
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)~0)
+#endif
+
/* some defines for the different JPEG block types */
#define M_SOF0 0xC0 /* Start Of Frame N */
@@ -202,6 +206,11 @@
RETURN_FALSE;
}
+ if ((size_t)iptcdata_len >= SIZE_MAX - sizeof(psheader) - 1025) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "IPTC data too large");
+ RETURN_FALSE;
+ }
+
if ((fp = VCWD_FOPEN(jpeg_file, "rb")) == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open %s", jpeg_file);
RETURN_FALSE;
@@ -210,7 +219,7 @@
if (spool < 2) {
fstat(fileno(fp), &sb);
- poi = spoolbuf = safe_emalloc(1, iptcdata_len + sizeof(psheader) + sb.st_size + 1024, 1);
+ poi = spoolbuf = safe_emalloc(1, (size_t)iptcdata_len + sizeof(psheader) + 1024 + 1, sb.st_size);
memset(poi, 0, iptcdata_len + sizeof(psheader) + sb.st_size + 1024 + 1);
}
|
