On Fri, Jul 13, 2001 at 01:08:26PM -0000, [EMAIL PROTECTED] wrote:
> From: [EMAIL PROTECTED]
> Operating system: RedHat Linux 7.1 (Intel)
> PHP version: 4.0.6
> PHP Bug Type: Reproducible crash
> Bug description: iptcparse crashes with one specific PhotoCD file
patch attached - btw: there is no valid IPTC in this file;-)
tc
>
> I have one PCD (Kodak PhotoCD) file which crashes PHP when I run iptcparse
> on its contents.
>
> The error message is "FATAL: emalloc(): Unable to allocate -4095
> bytes".
>
> Unfortunately, I wasn't able to produce a core file (probably too dumb to
> configure with --enable-debug). PHP was configured "plain" (just
> "./configure", "make", "make install").
>
> I can reproduce this crash with PHP 4.0.2-dev and 3.0.13-dev (error message
> here: "FATAL: emalloc(): Unable to allocate 4294963201 bytes") under
> Solaris, and with an older PHP 4 under RedHat Linux 6.2.
>
> Hundreds of other PCD files work fine, some of them bigger than my example
> file.
>
> You can download this PCD file from http://www.digicol.de/crash.html (it's
> nearly 5 MB).
>
> This is how you can reproduce the crash:
> ==============================================
> [tim@dhcp5 tim]$ ll
> insgesamt 7896
> -rw-rw-r-- 1 tim tim 4898816 Jun 22 11:48 crash.pcd
> -rw-rw-r-- 1 tim tim 510 Jun 22 12:06
> iptcparse-crash.php
> [tim@dhcp5 tim]$ cat iptcparse-crash.php
> <?php
>
> if (! isset($argv[ 1 ]))
> { echo "Usage: php iptcparse-crash.php <filename>\n";
> exit;
> }
>
> $filename = $argv[ 1 ];
>
> $buffer = "";
>
> getimagesize($filename,&$info);
>
> if (isset($info[ "APP13" ]))
> $buffer = $info[ "APP13" ];
> else
> { $fp = fopen($filename,"r");
> if ($fp)
> { $buffer = fread($fp,filesize($filename));
> fclose($fp);
> }
> }
>
> $ok = 0;
>
> if ($buffer != "")
> { echo "before iptcparse() ...\n";
> $iptc = iptcparse($buffer);
> echo "... after iptcparse()\n";
> }
>
> ?>
> [tim@dhcp5 tim]$ php -v
> 4.0.6
> [tim@dhcp5 tim]$ php -q iptcparse-crash.php crash.pcd
> before iptcparse() ...
> FATAL: emalloc(): Unable to allocate -4095 bytes
> ==============================================
>
> --
> Edit bug report at: http://bugs.php.net/?id=12141&edit=1
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
Index: iptc.c
===================================================================
RCS file: /repository/php4/ext/standard/iptc.c,v
retrieving revision 1.29
diff -u -r1.29 iptc.c
--- iptc.c 6 Jun 2001 13:05:51 -0000 1.29
+++ iptc.c 13 Jul 2001 14:33:53 -0000
@@ -351,7 +351,7 @@
sprintf(key,"%d#%03d",(unsigned int) dataset,(unsigned int) recnum);
- if ((inx + len) > length)
+ if ((len > length) || (inx + len) > length)
break;
if (tagsfound == 0) { /* found the 1st tag - initialize the return
array */
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
