pajoye Thu May 28 13:44:43 2009 UTC Added files: /php-src/ext/exif/tests bug48378.jpeg bug48378.phpt
Modified files: /php-src/ext/exif exif.c Log: #48378, exif_read_data() segfaults on certain corrupted .jpeg files http://cvs.php.net/viewvc.cgi/php-src/ext/exif/exif.c?r1=1.212&r2=1.213&diff_format=u Index: php-src/ext/exif/exif.c diff -u php-src/ext/exif/exif.c:1.212 php-src/ext/exif/exif.c:1.213 --- php-src/ext/exif/exif.c:1.212 Tue May 19 10:23:51 2009 +++ php-src/ext/exif/exif.c Thu May 28 13:44:43 2009 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: exif.c,v 1.212 2009/05/19 10:23:51 kalle Exp $ */ +/* $Id: exif.c,v 1.213 2009/05/28 13:44:43 pajoye Exp $ */ /* ToDos * @@ -138,7 +138,7 @@ }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: exif.c,v 1.212 2009/05/19 10:23:51 kalle Exp $" +#define EXIF_VERSION "1.4 $Id: exif.c,v 1.213 2009/05/28 13:44:43 pajoye Exp $" /* {{{ PHP_MINFO_FUNCTION */ @@ -3188,6 +3188,10 @@ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } + if (offset_of_ifd > length) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start"); + return; + } ImageInfo->sections_found |= FOUND_IFD0; /* First directory starts at offset 8. Offsets starts at 0. */ http://cvs.php.net/viewvc.cgi/php-src/ext/exif/tests/bug48378.phpt?view=markup&rev=1.1 Index: php-src/ext/exif/tests/bug48378.phpt +++ php-src/ext/exif/tests/bug48378.phpt --TEST-- Bug #48378 (Infinite recursion due to corrupt JPEG) --SKIPIF-- <?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> --FILE-- <?php exif_read_data( dirname(__FILE__) . "/bug48378.jpeg", "FILE,COMPUTED,ANY_TAG" ); ?> --EXPECTF-- Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php