Commit: 1b43f9504020a1fa607eb58b81defaba9d8cfd6b Author: Michael Wallner <m...@php.net> Mon, 21 Oct 2013 21:48:27 +0200 Parents: 2ecf94e07efae6059e40069a7c1a895514c24466 Branches: PHP-5.4 PHP-5.5 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=1b43f9504020a1fa607eb58b81defaba9d8cfd6b Log: Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h Bugs: https://bugs.php.net/293 Changed paths: M ext/exif/exif.c A ext/exif/tests/exif_encoding_crash.jpg A ext/exif/tests/exif_encoding_crash.phpt Diff: diff --git a/ext/exif/exif.c b/ext/exif/exif.c index bd646d9..2fe54f7 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } else { decode = ImageInfo->decode_unicode_le; } + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, @@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), zend_multibyte_fetch_encoding(decode TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; ByteCount -= 8; + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, @@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - - /* Copy the comment */ + + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, &xp_field->size, @@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount); } return xp_field->size; diff --git a/ext/exif/tests/exif_encoding_crash.jpg b/ext/exif/tests/exif_encoding_crash.jpg new file mode 100644 index 0000000..55138ab Binary files /dev/null and b/ext/exif/tests/exif_encoding_crash.jpg differ diff --git a/ext/exif/tests/exif_encoding_crash.phpt b/ext/exif/tests/exif_encoding_crash.phpt new file mode 100644 index 0000000..1c4ad63 --- /dev/null +++ b/ext/exif/tests/exif_encoding_crash.phpt @@ -0,0 +1,14 @@ +--TEST-- +PHP crash when zend_multibyte_encoding_converter returns (size_t)-1) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +$infile = dirname(__FILE__).'/exif_encoding_crash.jpg'; +$exif_data = exif_read_data($infile); +echo "*** no core dump ***\n"; +?> +===DONE=== +--EXPECT-- +*** no core dump *** +===DONE=== -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php