Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF

Assigned CVE-IDs: CVE-2016-7128 (cherry picked from commit 6dbb1ee) Signed-off-by: Lior Kaplan <kaplanlior@gmail.com>
kaplanlior · Sep 22, 2016 · af2de56 · af2de56
1 parent a9c9d0e
commit af2de56
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 1 deletion.
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -3768,8 +3768,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
 						fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
 						if (fgot < ImageInfo->Thumbnail.size) {
 							EXIF_ERRLOG_THUMBEOF(ImageInfo)
+							efree(ImageInfo->Thumbnail.data);
+							ImageInfo->Thumbnail.data = NULL;
+						} else {
+							exif_thumbnail_build(ImageInfo TSRMLS_CC);
 						}
-						exif_thumbnail_build(ImageInfo TSRMLS_CC);
 					}
 #ifdef EXIF_DEBUG
 					exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done");

diff --git a/ext/exif/tests/bug72627.phpt b/ext/exif/tests/bug72627.phpt
@@ -0,0 +1,71 @@
+--TEST--
+Bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+	$exif = exif_read_data(__DIR__ . '/bug72627.tiff',0,0,true);
+	var_dump($exif);
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Thumbnail goes IFD boundary or end of file reached in %sbug72627.php on line %d
+
+Warning: exif_read_data(%s): Error in TIFF: filesize(x04E2) less than start of IFD dir(x829A0004) in %sbug72627.php on line %d
+
+Warning: exif_read_data(%s): Thumbnail goes IFD boundary or end of file reached in %sbug72627.php on line %d
+array(11) {
+  ["FileName"]=>
+  string(13) "bug72627.tiff"
+  ["FileDateTime"]=>
+  int(%d)
+  ["FileSize"]=>
+  int(1250)
+  ["FileType"]=>
+  int(7)
+  ["MimeType"]=>
+  string(10) "image/tiff"
+  ["SectionsFound"]=>
+  string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
+  ["COMPUTED"]=>
+  array(10) {
+    ["html"]=>
+    string(24) "width="128" height="132""
+    ["Height"]=>
+    int(132)
+    ["Width"]=>
+    int(128)
+    ["IsColor"]=>
+    int(0)
+    ["ByteOrderMotorola"]=>
+    int(0)
+    ["ApertureFNumber"]=>
+    string(5) "f/1.0"
+    ["Thumbnail.FileType"]=>
+    int(2)
+    ["Thumbnail.MimeType"]=>
+    string(10) "image/jpeg"
+    ["Thumbnail.Height"]=>
+    int(132)
+    ["Thumbnail.Width"]=>
+    int(128)
+  }
+  ["XResolution"]=>
+  string(21) "1414812756/1414812756"
+  ["THUMBNAIL"]=>
+  array(5) {
+    ["ImageWidth"]=>
+    int(128)
+    ["ImageLength"]=>
+    int(132)
+    ["JPEGInterchangeFormat"]=>
+    int(1280)
+    ["JPEGInterchangeFormatLength"]=>
+    int(100)
+    ["THUMBNAIL"]=>
+    NULL
+  }
+  ["ExposureTime"]=>
+  string(21) "1414812756/1414812756"
+  ["FNumber"]=>
+  string(21) "1414812756/1414812756"
+}
diff --git a/ext/exif/tests/bug72627.tiff b/ext/exif/tests/bug72627.tiff