1 CVE-2014-3670

     2 Community BUG:

     3 https://bugs.php.net/bug.php?id=68113

     4 Community CODE:

     5 http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b

     6 Below is the community patch.

     7 

     8 Not including the test files at the moment:

     9 ext/exif/tests/bug68113.jpg

    10 ext/exif/tests/bug68113.phpt

    11 because our version of gpatch doesn't understand the git binary data file.

    12 

    13 

    14 From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001

    15 From: Stanislav Malyshev <[email protected]>

    16 Date: Sun, 28 Sep 2014 16:57:42 -0700

    17 Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail())

    18 

    19 ---

    20  ext/exif/exif.c              |   4 ++--

    21  ext/exif/tests/bug68113.jpg  | Bin 0 -> 368 bytes

    22  ext/exif/tests/bug68113.phpt |  17 +++++++++++++++++

    23  3 files changed, 19 insertions(+), 2 deletions(-)

    24  create mode 100755 ext/exif/tests/bug68113.jpg

    25  create mode 100644 ext/exif/tests/bug68113.phpt

    26 

    27 diff --git a/ext/exif/exif.c b/ext/exif/exif.c

    28 index 38907b4..637ebf9 100644

    29 --- a/ext/exif/exif.c

    30 +++ b/ext/exif/exif.c

    31 @@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel

    32  					data_ptr += 8;

    33  					break;

    34  				case TAG_FMT_SINGLE:

    35 -					memmove(data_ptr, &info_data->value.f, byte_count);

    36 +					memmove(data_ptr, &info_value->f, 4);

    37  					data_ptr += 4;

    38  					break;

    39  				case TAG_FMT_DOUBLE:

    40 -					memmove(data_ptr, &info_data->value.d, byte_count);

    41 +					memmove(data_ptr, &info_value->d, 8);

    42  					data_ptr += 8;

    43  					break;

    44  			}