[PHP-CVS] cvs: php-src(PHP_4_3) /ext/exif exif.c

Fri, 21 Jan 2005 15:52:15 -0800 

andrei          Fri Jan 21 18:47:07 2005 EDT

  Modified files:              (Branch: PHP_4_3)
    /php-src/ext/exif   exif.c 
  Log:
  Protect against corrupt EXIF headers that feature unlimited IFD tag
  nesting.
  
  
http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.29&r2=1.118.2.30&ty=u
Index: php-src/ext/exif/exif.c
diff -u php-src/ext/exif/exif.c:1.118.2.29 php-src/ext/exif/exif.c:1.118.2.30
--- php-src/ext/exif/exif.c:1.118.2.29  Tue Nov  9 20:44:58 2004
+++ php-src/ext/exif/exif.c     Fri Jan 21 18:47:06 2005
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: exif.c,v 1.118.2.29 2004/11/10 01:44:58 iliaa Exp $ */
+/* $Id: exif.c,v 1.118.2.30 2005/01/21 23:47:06 andrei Exp $ */
 
 /*  ToDos
  *
@@ -85,6 +85,8 @@
 
 #define EFREE_IF(ptr)  if (ptr) efree(ptr)
 
+#define MAX_IFD_NESTING_LEVEL 5
+
 static unsigned char exif_thumbnail_force_ref[] = {2, BYREF_NONE, 
BYREF_FORCE_REST};
 
 /* {{{ exif_functions[]
@@ -99,7 +101,7 @@
 };
 /* }}} */
 
-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.118.2.29 2004/11/10 01:44:58 iliaa 
Exp $"
+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.118.2.30 2005/01/21 23:47:06 andrei 
Exp $"
 
 /* {{{ PHP_MINFO_FUNCTION
  */
@@ -1430,6 +1432,7 @@
        /* for parsing */
        int             read_thumbnail;
        int             read_all;
+       int             ifd_nesting_level;
        /* internal */
        file_section_list       file;
 } image_info_type;
@@ -2689,6 +2692,13 @@
        size_t byte_count, offset_val, fpos, fgot;
        xp_field_type *tmp_xp;
 
+       /* Protect against corrupt headers */
+       if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+               exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, 
ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level 
reached");
+               return FALSE;
+       }
+       ImageInfo->ifd_nesting_level++;
+
        tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
        format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
        components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
@@ -3713,6 +3723,8 @@
                }
        }
 
+       ImageInfo->ifd_nesting_level = 0;
+
        /* Scan the JPEG headers. */
        ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);
 

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to