Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
exif_process_APP12: Fix length calculation for second tag to prevent …
…information leak Summary: buffer + 2+l1+1 points to the second tag. The maximum length of the buffer is length. Hence, the max length of the tag is length - (2+l1+1). Instead, the length passed is length - 2 - l1 + 1 which leads to a 2 byte overflow. If the last character of buffer is not null, this would lead to an out of bounds read of size 2. Fixes CVE-2019-11925 Reviewed By: fredemmott Differential Revision: D16930333 fbshipit-source-id: aad9cccaef3c678abc53bfd549aff6b582082a90
- Loading branch information
1 parent
f9680d2
commit f1cd34e
Showing
3 changed files
with
13 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| <?hh | ||
|
|
||
| <<__EntryPoint>> | ||
| function main_exifreaddata() { | ||
| $jpeg = "\xff\xd8\xec\x00\x05\x58\x00\x17"; | ||
| $data_stream = "data://text/plain;base64," . base64_encode($jpeg); | ||
| var_dump(exif_read_data($data_stream)); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| Warning: File structure corrupted in %s/ext_gd/exifreaddata_APP12.php on line 7 | ||
|
|
||
| Warning: Invalid JPEG file in %s/ext_gd/exifreaddata_APP12.php on line 7 | ||
| bool(false) |