Skip to content
Permalink
Browse files

exif_scan_JPEG_header: Added length check to prevent information leak

Summary:
'exif_process_SOFn' assumes that the JPEG header has at least 6 length. On providing a length < 6, this leads to an out of bounds heap read.

Fixes CVE-2019-11926

Reviewed By: fredemmott

Differential Revision: D16927050

fbshipit-source-id: 76c4b7c95acbb7852b0435298613d559d94e7270
  • Loading branch information...
DhavalKapil authored and hhvm-bot committed Sep 4, 2019
1 parent 7d8655f commit f9680d21beaa9eb39d166e8810e29fbafa51ad15
@@ -7117,6 +7117,10 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) {
case M_SOF13:
case M_SOF14:
case M_SOF15:
if ((itemlen - 2) < 6) {
return 0;
}

exif_process_SOFn(Data, marker, &sof_info);
ImageInfo->Width = sof_info.width;
ImageInfo->Height = sof_info.height;
@@ -0,0 +1,8 @@
<?hh

<<__EntryPoint>>
function main_exifreaddata() {
$jpeg = "\xff\xd8\xc9\x00\x03\x04\x03\xf8";
$data_stream = "data://text/plain;base64," . base64_encode($jpeg);
var_dump(exif_read_data($data_stream));
}
@@ -0,0 +1,2 @@
Warning: Invalid JPEG file in %s/ext_gd/exifreaddata.php on line 7
bool(false)

0 comments on commit f9680d2

Please sign in to comment.
You can’t perform that action at this time.