File tree Expand file tree Collapse file tree 1 file changed +6
-1
lines changed Expand file tree Collapse file tree 1 file changed +6
-1
lines changed Original file line number Diff line number Diff line change @@ -195,6 +195,11 @@ PHP_FUNCTION(iptcembed)
195195 RETURN_FALSE ;
196196 }
197197
198+ if ((size_t )iptcdata_len >= SIZE_MAX - sizeof (psheader ) - 1025 ) {
199+ php_error_docref (NULL TSRMLS_CC , E_WARNING , "IPTC data too large" );
200+ RETURN_FALSE ;
201+ }
202+
198203 if ((fp = VCWD_FOPEN (jpeg_file , "rb" )) == 0 ) {
199204 php_error_docref (NULL TSRMLS_CC , E_WARNING , "Unable to open %s" , jpeg_file );
200205 RETURN_FALSE ;
@@ -203,7 +208,7 @@ PHP_FUNCTION(iptcembed)
203208 if (spool < 2 ) {
204209 fstat (fileno (fp ), & sb );
205210
206- poi = spoolbuf = safe_emalloc (1 , iptcdata_len + sizeof (psheader ) + sb . st_size + 1024 , 1 );
211+ poi = spoolbuf = safe_emalloc (1 , ( size_t ) iptcdata_len + sizeof (psheader ) + 1024 + 1 , sb . st_size );
207212 memset (poi , 0 , iptcdata_len + sizeof (psheader ) + sb .st_size + 1024 + 1 );
208213 }
209214
You can’t perform that action at this time.
0 commit comments