An insufficient input validation flaws was discovered in the PHP's Exif extension that allows extracting Exif data from image files: http://thread.gmane.org/gmane.comp.security.oss.general/4198 An integer overflow causes PHP to not validate offsets read from the file properly, causing it to read behind the end of the buffer. This leads to PHP interpreter crash when reading specially crafted Exif data. Before the code over-reading the buffer is reached, PHP needs to allocate a large amount of memory (based on the components / length value read from the file). This attempt triggers the integer overflow check in safe_emalloc on 32bit platforms and requires the memory_limit for the script to be set to -1 (i.e. no limit is enforced by PHP) on 64bit platforms. Upstream commits, which include reproducers: http://svn.php.net/viewvc?view=revision&revision=308316 http://svn.php.net/viewvc?view=revision&revision=308317 The follow-up commit replaces the use of hard-coded numeric constant with INT32_MAX: http://svn.php.net/viewvc?view=revision&revision=308362 This fix should first appear in upstream version 5.3.6.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html
Statement: (none)
This issue did not affect the version of php as shipped with Fedora 15 and Fedora 16.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0033 https://rhn.redhat.com/errata/RHSA-2012-0033.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2012:0071 https://rhn.redhat.com/errata/RHSA-2012-0071.html