iliaa Sun Jun 10 20:13:10 2007 UTC
Modified files:
/php-src/ext/exif exif.c
Log:
MFB: Fixed memory corruption when reading exif data of a non-file
http://cvs.php.net/viewvc.cgi/php-src/ext/exif/exif.c?r1=1.194&r2=1.195&diff_format=u
Index: php-src/ext/exif/exif.c
diff -u php-src/ext/exif/exif.c:1.194 php-src/ext/exif/exif.c:1.195
--- php-src/ext/exif/exif.c:1.194 Sun Feb 25 13:09:07 2007
+++ php-src/ext/exif/exif.c Sun Jun 10 20:13:10 2007
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: exif.c,v 1.194 2007/02/25 13:09:07 helly Exp $ */
+/* $Id: exif.c,v 1.195 2007/06/10 20:13:10 iliaa Exp $ */
/* ToDos
*
@@ -142,7 +142,7 @@
};
/* }}} */
-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.194 2007/02/25 13:09:07 helly Exp $"
+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.195 2007/06/10 20:13:10 iliaa Exp $"
/* {{{ PHP_MINFO_FUNCTION
*/
@@ -3723,7 +3723,9 @@
if (ImageInfo->FileSize >= 2) {
php_stream_seek(ImageInfo->infile, 0, SEEK_SET);
- php_stream_read(ImageInfo->infile, (char*)file_header, 2);
+ if (php_stream_read(ImageInfo->infile, (char*)file_header, 2)
!= 2) {
+ return FALSE;
+ }
if ((file_header[0]==0xff) && (file_header[1]==M_SOI)) {
ImageInfo->FileType = IMAGE_FILETYPE_JPEG;
if (exif_scan_JPEG_header(ImageInfo TSRMLS_CC)) {
@@ -3732,7 +3734,9 @@
exif_error_docref(NULL EXIFERR_CC, ImageInfo,
E_WARNING, "Invalid JPEG file");
}
} else if (ImageInfo->FileSize >= 8) {
- php_stream_read(ImageInfo->infile,
(char*)(file_header+2), 6);
+ if (php_stream_read(ImageInfo->infile,
(char*)(file_header+2), 6) != 6) {
+ return FALSE;
+ }
if (!memcmp(file_header, "II\x2A\x00", 4)) {
ImageInfo->FileType = IMAGE_FILETYPE_TIFF_II;
ImageInfo->motorola_intel = 0;
@@ -3828,20 +3832,14 @@
return FALSE;
}
- php_basename(FileName, strlen(FileName), NULL, 0,
&(ImageInfo->FileName), NULL TSRMLS_CC);
- ImageInfo->read_thumbnail = read_thumbnail;
- ImageInfo->read_all = read_all;
- ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_UNKNOWN;
-
- ImageInfo->encode_unicode = safe_estrdup(EXIF_G(encode_unicode));
- ImageInfo->decode_unicode_be = safe_estrdup(EXIF_G(decode_unicode_be));
- ImageInfo->decode_unicode_le = safe_estrdup(EXIF_G(decode_unicode_le));
- ImageInfo->encode_jis = safe_estrdup(EXIF_G(encode_jis));
- ImageInfo->decode_jis_be = safe_estrdup(EXIF_G(decode_jis_be));
- ImageInfo->decode_jis_le = safe_estrdup(EXIF_G(decode_jis_le));
-
if (php_stream_is(ImageInfo->infile, PHP_STREAM_IS_STDIO)) {
if (VCWD_STAT(FileName, &st) >= 0) {
+ if ((st.st_mode & S_IFMT) != S_IFREG) {
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo,
E_WARNING, "Not a file");
+ php_stream_close(ImageInfo->infile);
+ return FALSE;
+ }
+
/* Store file date/time. */
#ifdef NETWARE
ImageInfo->FileDateTime = st.st_mtime.tv_sec;
@@ -3859,6 +3857,19 @@
}
}
+ php_basename(FileName, strlen(FileName), NULL, 0,
&(ImageInfo->FileName), NULL TSRMLS_CC);
+ ImageInfo->read_thumbnail = read_thumbnail;
+ ImageInfo->read_all = read_all;
+ ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_UNKNOWN;
+
+ ImageInfo->encode_unicode = safe_estrdup(EXIF_G(encode_unicode));
+ ImageInfo->decode_unicode_be = safe_estrdup(EXIF_G(decode_unicode_be));
+ ImageInfo->decode_unicode_le = safe_estrdup(EXIF_G(decode_unicode_le));
+ ImageInfo->encode_jis = safe_estrdup(EXIF_G(encode_jis));
+ ImageInfo->decode_jis_be = safe_estrdup(EXIF_G(decode_jis_be));
+ ImageInfo->decode_jis_le = safe_estrdup(EXIF_G(decode_jis_le));
+
+
ImageInfo->ifd_nesting_level = 0;
/* Scan the JPEG headers. */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
