1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
$NetBSD: patch-ext_exif_exif.c,v 1.1.2.2 2011/02/23 19:12:54 tron Exp $
Catch up to r308362 from PHP's repogitry for SA43328.
--- ext/exif/exif.c.orig 2010-01-03 09:23:27.000000000 +0000
+++ ext/exif/exif.c
@@ -40,6 +40,16 @@
#include "php.h"
#include "ext/standard/file.h"
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef PHP_WIN32
+# include "win32/php_stdint.h"
+#endif
+
#if HAVE_EXIF
/* When EXIF_DEBUG is defined the module generates a lot of debug messages
@@ -2821,6 +2831,7 @@ static int exif_process_IFD_TAG(image_in
int tag, format, components;
char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
size_t byte_count, offset_val, fpos, fgot;
+ int64_t byte_count_signed;
xp_field_type *tmp_xp;
#ifdef EXIF_DEBUG
char *dump_data;
@@ -2845,13 +2856,20 @@ static int exif_process_IFD_TAG(image_in
/*return TRUE;*/
}
- byte_count = components * php_tiff_bytes_per_format[format];
+ if (components < 0) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
+ return FALSE;
+ }
+
+ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
- if ((ssize_t)byte_count < 0) {
- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+ if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
return FALSE;
}
+ byte_count = (size_t)byte_count_signed;
+
if (byte_count > 4) {
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an offset. */
@@ -2916,6 +2934,7 @@ static int exif_process_IFD_TAG(image_in
efree(dump_data);
}
#endif
+
if (section_index==SECTION_THUMBNAIL) {
if (!ImageInfo->Thumbnail.data) {
switch(tag) {
|