From: t dot starling at physics dot unimelb dot edu dot au Operating system: linux PHP version: 4.4.0 PHP Bug Type: EXIF related Bug description: Infinite recursion due to corrupt JPEG
Description: ------------ An image, seen in the wild and probably generated non-maliciously, reliably causes exif_read_data() to go into infinite recursion. I've fixed the problem and created a patch against PHP 4.4.0: http://wikimedia.org/~tstarling/php/exif_IFD2.patch The test image is here: http://wikimedia.org/~tstarling/php/Carcraftbuckett.jpg The problem was an assumption that images would follow the spec and include a maximum of 2 IFD headers, IFD0 for the image and IFD1 for the thumbnail. The test image probably has the "next IFD offset" field pointing back to the same structure, creating an infinite loop. I haven't studied the test image in detail, but my patch allows PHP's Exif functions to read it without segfaulting, which is good enough for me. I decided to ignore any further IFDs beyond the first two rather than issue an error, for compatibility with possible future revisions of the Exif spec. -- Tim Starling (MediaWiki developer) -- Edit bug report at http://bugs.php.net/?id=34704&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34704&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=34704&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=34704&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=34704&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=34704&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=34704&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=34704&r=needscript Try newer version: http://bugs.php.net/fix.php?id=34704&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=34704&r=support Expected behavior: http://bugs.php.net/fix.php?id=34704&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=34704&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=34704&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=34704&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34704&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=34704&r=dst IIS Stability: http://bugs.php.net/fix.php?id=34704&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=34704&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=34704&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=34704&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=34704&r=mysqlcfg
