Commit 67b74b2

committed

exif/heic: Avoid overflow when adding box size and checking against file size

We change the order of operations such that the file size check cannot overflow in the for loop. This prevents infinite loops. We also add an overflow check at the end of the loop body to prevent the addition of offset and box.size from overflowing.

1 parent 389691a commit 67b74b2Copy full SHA for 67b74b2

File tree

1 file changed

-1

lines changed

ext/exif
- exif.c

1 file changed

-1

lines changed

`‎ext/exif/exif.c`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4388,7 +4388,7 @@ static bool exif_scan_HEIF_header(image_info_type ImageInfo, unsigned char buf`
`4388`	`4388`	`bool ret = false;`
`4389`	`4389`
`4390`	`4390`	`pos.size = 0;`
`4391`		`- for (offset = php_ifd_get32u(buf, 1); ImageInfo->FileSize >offset+16; offset += box.size) {`
	`4391`	`+ for (offset = php_ifd_get32u(buf, 1); ImageInfo->FileSize -16>offset; offset += box.size) {`
`4392`	`4392`	`if ((php_stream_seek(ImageInfo->infile, offset, SEEK_SET) < 0) \|\|`
`4393`	`4393`	`(exif_read_from_stream_file_looped(ImageInfo->infile, (char*)buf, 16) != 16)) {`
`4394`	`4394`	`break;`
`@@ -4425,6 +4425,9 @@ static bool exif_scan_HEIF_header(image_info_type ImageInfo, unsigned char buf`
`4425`	`4425`	`efree(data);`
`4426`	`4426`	`break;`
`4427`	`4427`	`}`
	`4428`	`+ if (offset + box.size < offset) {`
	`4429`	`+ break;`
	`4430`	`+ }`
`4428`	`4431`	`}`
`4429`	`4432`
`4430`	`4433`	`return ret;`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 67b74b2

File tree

1 file changed

1 file changed

`‎ext/exif/exif.c`

0 commit comments