Commit:    1b43f9504020a1fa607eb58b81defaba9d8cfd6b
Author:    Michael Wallner <m...@php.net>         Mon, 21 Oct 2013 21:48:27 
+0200
Parents:   2ecf94e07efae6059e40069a7c1a895514c24466
Branches:  PHP-5.4 PHP-5.5 master

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=1b43f9504020a1fa607eb58b81defaba9d8cfd6b

Log:
Merged PR #293 (Exif crash on unknown encoding was fixed)
By:
        Draal
Conflicts:
        configure.in
        main/php_version.h

Bugs:
https://bugs.php.net/293

Changed paths:
  M  ext/exif/exif.c
  A  ext/exif/tests/exif_encoding_crash.jpg
  A  ext/exif/tests/exif_encoding_crash.phpt


Diff:
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index bd646d9..2fe54f7 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type 
*ImageInfo, char **pszInfoP
                        } else {
                                decode = ImageInfo->decode_unicode_le;
                        }
+                       /* XXX this will fail again if encoding_converter 
returns on error something different than SIZE_MAX   */
                        if (zend_multibyte_encoding_converter(
                                        (unsigned char**)pszInfoPtr, 
                                        &len, 
@@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type 
*ImageInfo, char **pszInfoP
                                        ByteCount,
                                        
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
                                        zend_multibyte_fetch_encoding(decode 
TSRMLS_CC)
-                                       TSRMLS_CC) < 0) {
+                                       TSRMLS_CC) == (size_t)-1) {
                                len = exif_process_string_raw(pszInfoPtr, 
szValuePtr, ByteCount);
                        }
                        return len;
@@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type 
*ImageInfo, char **pszInfoP
                        *pszEncoding = estrdup((const char*)szValuePtr);
                        szValuePtr = szValuePtr+8;
                        ByteCount -= 8;
+                       /* XXX this will fail again if encoding_converter 
returns on error something different than SIZE_MAX   */
                        if (zend_multibyte_encoding_converter(
                                        (unsigned char**)pszInfoPtr, 
                                        &len, 
@@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type 
*ImageInfo, char **pszInfoP
                                        ByteCount,
                                        
zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
                                        
zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? 
ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
-                                       TSRMLS_CC) < 0) {
+                                       TSRMLS_CC) == (size_t)-1) {
                                len = exif_process_string_raw(pszInfoPtr, 
szValuePtr, ByteCount);
                        }
                        return len;
@@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type 
*ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type 
*xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
        xp_field->tag = tag;    
-
-       /* Copy the comment */
+       
+       /* XXX this will fail again if encoding_converter returns on error 
something different than SIZE_MAX   */
        if (zend_multibyte_encoding_converter(
                        (unsigned char**)&xp_field->value, 
                        &xp_field->size, 
@@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type 
*ImageInfo, xp_field_type *xp_fi
                        ByteCount,
                        zend_multibyte_fetch_encoding(ImageInfo->encode_unicode 
TSRMLS_CC),
                        zend_multibyte_fetch_encoding(ImageInfo->motorola_intel 
? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
-                       TSRMLS_CC) < 0) {
+                       TSRMLS_CC) == (size_t)-1) {
                xp_field->size = exif_process_string_raw(&xp_field->value, 
szValuePtr, ByteCount);
        }
        return xp_field->size;
diff --git a/ext/exif/tests/exif_encoding_crash.jpg 
b/ext/exif/tests/exif_encoding_crash.jpg
new file mode 100644
index 0000000..55138ab
Binary files /dev/null and b/ext/exif/tests/exif_encoding_crash.jpg differ
diff --git a/ext/exif/tests/exif_encoding_crash.phpt 
b/ext/exif/tests/exif_encoding_crash.phpt
new file mode 100644
index 0000000..1c4ad63
--- /dev/null
+++ b/ext/exif/tests/exif_encoding_crash.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP crash when zend_multibyte_encoding_converter returns (size_t)-1)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not 
available';?>
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/exif_encoding_crash.jpg';
+$exif_data = exif_read_data($infile);
+echo "*** no core dump ***\n";
+?>
+===DONE===
+--EXPECT--
+*** no core dump ***
+===DONE===


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to