diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 2906b8c7150e8..17dadc7539baf 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -4421,7 +4421,7 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf if (exif_read_from_stream_file_looped(ImageInfo->infile, (char*)(data + remain), limit - remain) == limit - remain) { exif_isobmff_parse_meta(data, data + limit, &pos); } - if ((pos.size) && + if ((pos.size >= 2) && (pos.size < ImageInfo->FileSize) && (ImageInfo->FileSize - pos.size >= pos.offset) && (php_stream_seek(ImageInfo->infile, pos.offset + 2, SEEK_SET) >= 0)) { diff --git a/ext/exif/tests/heic_iloc_underflow.phpt b/ext/exif/tests/heic_iloc_underflow.phpt new file mode 100644 index 0000000000000..9dd1878b60dd7 --- /dev/null +++ b/ext/exif/tests/heic_iloc_underflow.phpt @@ -0,0 +1,19 @@ +--TEST-- +HEIC iloc extent_length underflow +--EXTENSIONS-- +exif +--FILE-- + +--CLEAN-- + +--EXPECTF-- +Warning: exif_read_data(heic_iloc_underflow.heic): Invalid HEIF file in %s on line %d +bool(false) diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c index 685ebf1870347..63f5c222c1924 100644 --- a/ext/ftp/php_ftp.c +++ b/ext/ftp/php_ftp.c @@ -147,7 +147,7 @@ PHP_FUNCTION(ftp_connect) RETURN_THROWS(); } - const zend_long timeoutmax = (zend_long)((double) PHP_TIMEOUT_ULL_MAX / 1000000.0); + const uint64_t timeoutmax = (uint64_t)((double) PHP_TIMEOUT_ULL_MAX / 1000000.0); if (timeout_sec <= 0) { zend_argument_value_error(3, "must be greater than 0"); @@ -155,7 +155,7 @@ PHP_FUNCTION(ftp_connect) } if (timeout_sec >= timeoutmax) { - zend_argument_value_error(3, "must be less than " ZEND_LONG_FMT, timeoutmax); + zend_argument_value_error(3, "must be less than " ZEND_ULONG_FMT, timeoutmax); RETURN_THROWS(); }