diff options
Diffstat (limited to 'ext/exif')
| -rw-r--r-- | ext/exif/exif.c | 14 | ||||
| -rw-r--r-- | ext/exif/tests/bug48378.jpeg | bin | 0 -> 2566 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug48378.phpt | 19 | ||||
| -rw-r--r-- | ext/exif/tests/exif006.phpt | 1 |
4 files changed, 29 insertions, 5 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index a10b6d0b6..96358f22e 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: exif.c,v 1.173.2.5.2.20.2.14 2008/12/31 11:15:36 sebastian Exp $ */ +/* $Id: exif.c,v 1.173.2.5.2.20.2.16 2009/06/12 14:03:35 felipe Exp $ */ /* ToDos * @@ -138,7 +138,7 @@ const zend_function_entry exif_functions[] = { }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: exif.c,v 1.173.2.5.2.20.2.14 2008/12/31 11:15:36 sebastian Exp $" +#define EXIF_VERSION "1.4 $Id: exif.c,v 1.173.2.5.2.20.2.16 2009/06/12 14:03:35 felipe Exp $" /* {{{ PHP_MINFO_FUNCTION */ @@ -3210,6 +3210,10 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } + if (offset_of_ifd > length) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start"); + return; + } ImageInfo->sections_found |= FOUND_IFD0; /* First directory starts at offset 8. Offsets starts at 0. */ @@ -3909,17 +3913,17 @@ PHP_FUNCTION(exif_read_data) int p_name_len, p_sections_needed_len = 0; zend_bool sub_arrays=0, read_thumbnail=0, read_all=0; - int i, ac = ZEND_NUM_ARGS(), ret, sections_needed=0; + int i, ret, sections_needed=0; image_info_type ImageInfo; char tmp[64], *sections_str, *s; - if (zend_parse_parameters(ac TSRMLS_CC, "s|sbb", &p_name, &p_name_len, &p_sections_needed, &p_sections_needed_len, &sub_arrays, &read_thumbnail) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sbb", &p_name, &p_name_len, &p_sections_needed, &p_sections_needed_len, &sub_arrays, &read_thumbnail) == FAILURE) { return; } memset(&ImageInfo, 0, sizeof(ImageInfo)); - if (ac >= 2) { + if (p_sections_needed) { spprintf(§ions_str, 0, ",%s,", p_sections_needed); /* sections_str DOES start with , and SPACES are NOT allowed in names */ s = sections_str; diff --git a/ext/exif/tests/bug48378.jpeg b/ext/exif/tests/bug48378.jpeg Binary files differnew file mode 100644 index 000000000..759d80570 --- /dev/null +++ b/ext/exif/tests/bug48378.jpeg diff --git a/ext/exif/tests/bug48378.phpt b/ext/exif/tests/bug48378.phpt new file mode 100644 index 000000000..286ce6107 --- /dev/null +++ b/ext/exif/tests/bug48378.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #48378 (Infinite recursion due to corrupt JPEG) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +exif_read_data( +dirname(__FILE__) . "/bug48378.jpeg", +"FILE,COMPUTED,ANY_TAG" +); +?> +--EXPECTF-- +Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d + +Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d + +Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d + + diff --git a/ext/exif/tests/exif006.phpt b/ext/exif/tests/exif006.phpt index bad74ee4f..256a9ebc5 100644 --- a/ext/exif/tests/exif006.phpt +++ b/ext/exif/tests/exif006.phpt @@ -20,6 +20,7 @@ magic_quotes_runtime=1 var_dump(exif_read_data(dirname(__FILE__).'/test6.jpg','',true,false)); ?> --EXPECTF-- +PHP Warning: Directive 'magic_quotes_runtime' is deprecated in PHP 5.3 and greater in Unknown on line 0 array(5) { ["FILE"]=> array(6) { |
