Edit report at https://bugs.php.net/bug.php?id=62523&edit=1
ID: 62523 Comment by: dessander at gmail dot com Reported by: bigbug at mafia dot lv Summary: php crashes with segfault when exif_read_data called Status: Assigned Type: Bug Package: Reproducible crash Operating System: linux PHP Version: 5.3Git-2012-07-10 (snap) Assigned To: rasmus Block user comment: N Private report: N New Comment: Same situation with file: http://dl.dropbox.com/u/7562584/Bugs/Php/bad_exif.jpeg Previous Comments: ------------------------------------------------------------------------ [2012-10-30 13:26:09] alex at bartl dot net seeing the same issue on php-5.4.7-10.fc17.x86_64 (Fedora 17) ------------------------------------------------------------------------ [2012-09-14 17:25:50] info at getid3 dot org I am also seeing the same problem on Windows (7-64-pro) running php-5.4.7-nts-Win32-VC9-x86 (and previously same thing on v5.4.4) I have only encountered one of my own files that causes the crash: http://getid3.org/temp/62523.jpg ------------------------------------------------------------------------ [2012-07-11 03:35:59] larue...@php.net Rasmus, could you please look at this one? I have no enough knowledge of the exif things :) ------------------------------------------------------------------------ [2012-07-11 03:33:59] larue...@php.net I can reproduce this only in 5.3, seems 5.3 and 5.4 have the same exif code, but can not reproduce this in 5.4. #0 0x00002b6649bdd8fe in php_ifd_get16u (value=0xffffffffcc675e60, motorola_intel=0) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1095 1095 return (((uchar *)value)[1] << 8) | ((uchar *)value)[0]; (gdb) bt #0 0x00002b6649bdd8fe in php_ifd_get16u (value=0xffffffffcc675e60, motorola_intel=0) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1095 #1 0x00002b6649bdeba8 in exif_iif_add_value (image_info=0x7fff7b6ec450, section_index=13, name=0x7fff7b6ebbb0 "CustomFunctions", tag=15, format=3, length=12, value=0xffffffffcc675e60, motorola_intel=0) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1762 #2 0x00002b6649bded63 in exif_iif_add_tag (image_info=0x7fff7b6ec450, section_index=13, name=0x7fff7b6ebbb0 "CustomFunctions", tag=15, format=3, length=12, value=0xffffffffcc675e60) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1812 #3 0x00002b6649be23e3 in exif_process_IFD_TAG (ImageInfo=0x7fff7b6ec450, dir_entry=0x1eb512d8 "\017", offset_base=0xffffffffcc67493c <Address 0xffffffffcc67493c out of bounds>, IFDlength=13482, displacement=30, section_index=13, ReadNextIFD=0, tag_table=0x2b6649de9b00) at /home/huixinchen/opensource/php- 5.3/ext/exif/exif.c:3135 #4 0x00002b6649be123b in exif_process_IFD_in_MAKERNOTE (ImageInfo=0x7fff7b6ec450, value_ptr=0x1eb512ca "\027", value_len=3476, offset_base=0xffffffffcc67493c <Address 0xffffffffcc67493c out of bounds>, IFDlength=13482, displacement=30) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:2813 #5 0x00002b6649be221f in exif_process_IFD_TAG (ImageInfo=0x7fff7b6ec450, dir_entry=0x1eb5085c "|\222\a", offset_base=0x1eb4fec0 "II*", IFDlength=13482, displacement=30, section_index=7, ReadNextIFD=1, tag_table=0x2b6649de88e0) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3089 #6 0x00002b6649be256f in exif_process_IFD_in_JPEG (ImageInfo=0x7fff7b6ec450, dir_start=0x1eb507b2 "\037", offset_base=0x1eb4fec0 "II*", IFDlength=13482, displacement=30, section_index=7) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3163 #7 0x00002b6649be2385 in exif_process_IFD_TAG (ImageInfo=0x7fff7b6ec450, dir_entry=0x1eb4ff36 "i\207\004", offset_base=0x1eb4fec0 "II*", IFDlength=13482, displacement=30, section_index=3, ReadNextIFD=1, tag_table=0x2b6649de88e0) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3126 #8 0x00002b6649be256f in exif_process_IFD_in_JPEG (ImageInfo=0x7fff7b6ec450, dir_start=0x1eb4fec8 "\v", offset_base=0x1eb4fec0 "II*", IFDlength=13482, displacement=30, section_index=3) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3163 #9 0x00002b6649be285a in exif_process_TIFF_in_JPEG (ImageInfo=0x7fff7b6ec450, CharBuf=0x1eb4fec0 "II*", length=13482, displacement=30) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3240 #10 0x00002b6649be298c in exif_process_APP1 (ImageInfo=0x7fff7b6ec450, CharBuf=0x1eb4feb8 "4²Exif", length=13490, displacement=22) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3265 #11 0x00002b6649be2f1d in exif_scan_JPEG_header (ImageInfo=0x7fff7b6ec450) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3410 #12 0x00002b6649be3ffd in exif_scan_FILE_header (ImageInfo=0x7fff7b6ec450) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3792 #13 0x00002b6649be4c41 in exif_read_file (ImageInfo=0x7fff7b6ec450, FileName=0x1eb4b8e8 "/tmp/1.orig.jpg", read_thumbnail=0, read_all=0) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3931 #14 0x00002b6649be4e27 in zif_exif_read_data (ht=1, return_value=0x1eb4aac0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3984 #15 0x00000000008e7d95 in zend_do_fcall_common_helper_SPEC (execute_data=0x2b664a23b090) at /home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:320 #16 0x00000000008ed77c in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b664a23b090) at /home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:1640 ---Type <return> to continue, or q <return> to quit--- ------------------------------------------------------------------------ [2012-07-10 16:11:45] larue...@php.net yeah, please, build with -g, give us more info :), thanks ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62523 -- Edit this bug report at https://bugs.php.net/bug.php?id=62523&edit=1
