[Pkg-php-commits] [php/debian-lenny] CVE-2009-3292: multiple missing checks processing exif image data

Sat Nov 28 23:52:51 UTC 2009

---
 debian/patches/CVE-2009-3292.patch |   57 ++++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 58 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2009-3292.patch

diff --git a/debian/patches/CVE-2009-3292.patch b/debian/patches/CVE-2009-3292.patch
new file mode 100644
index 0000000..e0ca930
--- /dev/null
+++ b/debian/patches/CVE-2009-3292.patch
@@ -0,0 +1,57 @@
+Index: php/ext/exif/exif.c
+===================================================================
+--- php.orig/ext/exif/exif.c
++++ php/ext/exif/exif.c
+@@ -3247,7 +3247,7 @@ static void exif_process_APP1(image_info
+ {
+ 	/* Check the APP1 for Exif Identifier Code */
+ 	static const uchar ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+-	if (memcmp(CharBuf+2, ExifHeader, 6)) {
++	if (length <= 8 || memcmp(CharBuf+2, ExifHeader, 6)) {
+ 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Incorrect APP1 Exif Identifier Code");
+ 		return;
+ 	}
+@@ -3330,8 +3330,14 @@ static int exif_scan_JPEG_header(image_i
+ 		}
+ 
+ 		/* Read the length of the section. */
+-		lh = php_stream_getc(ImageInfo->infile);
+-		ll = php_stream_getc(ImageInfo->infile);
++		if ((lh = php_stream_getc(ImageInfo->infile)) == EOF) {
++			EXIF_ERRLOG_CORRUPT(ImageInfo)
++			return FALSE;
++		}
++		if ((ll = php_stream_getc(ImageInfo->infile)) == EOF) {
++			EXIF_ERRLOG_CORRUPT(ImageInfo)
++			return FALSE;
++		}
+ 
+ 		itemlen = (lh << 8) | ll;
+ 
+@@ -3531,6 +3537,10 @@ static int exif_process_IFD_in_TIFF(imag
+ 	int entry_tag , entry_type;
+ 	tag_table_type tag_table = exif_get_tag_table(section_index);
+ 
++	if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
++                return FALSE;
++        }
++
+ 	if (ImageInfo->FileSize >= dir_offset+2) {
+ 		sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL);
+ #ifdef EXIF_DEBUG
+@@ -3674,6 +3684,7 @@ static int exif_process_IFD_in_TIFF(imag
+ #ifdef EXIF_DEBUG
+ 						exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s @x%04X", exif_get_sectionname(sub_section_index), entry_offset);
+ #endif
++						ImageInfo->ifd_nesting_level++;
+ 						exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC);
+ 						if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) {
+ 							if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN
+@@ -3713,6 +3724,7 @@ static int exif_process_IFD_in_TIFF(imag
+ #ifdef EXIF_DEBUG
+ 					exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) at x%04X", next_offset);
+ #endif
++					ImageInfo->ifd_nesting_level++;
+ 					exif_process_IFD_in_TIFF(ImageInfo, next_offset, SECTION_THUMBNAIL TSRMLS_CC);
+ #ifdef EXIF_DEBUG
+ 					exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size);
diff --git a/debian/patches/series b/debian/patches/series
index c14a636..ee2d042 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -57,3 +57,4 @@ CVE-2009-0754.patch
 CVE-2009-1271.patch
 CVE-2009-2687.patch
 CVE-2009-2626.patch
+CVE-2009-3292.patch
-- 
1.6.3.3



