The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Php | Php | 4.2.2 (including) | 4.2.2 (including) |
| Php | Php | 4.3.9 (including) | 4.3.9 (including) |
| Php | Php | 4.3.10 (including) | 4.3.10 (including) |
| Php | Php | 5.0.3 (including) | 5.0.3 (including) |
| Php4 | Ubuntu | dapper | * |
| Php4 | Ubuntu | edgy | * |
| Php5 | Ubuntu | dapper | * |
| Php5 | Ubuntu | devel | * |
| Php5 | Ubuntu | edgy | * |
| Php5 | Ubuntu | feisty | * |
| Red Hat Enterprise Linux 3 | RedHat | php-0:4.3.2-23.ent | * |
| Red Hat Enterprise Linux 4 | RedHat | php-0:4.3.9-3.6 | * |