Re: [PHP-DEV] Bug #12141: iptcparse crashes with one specific PhotoCD file

[Thies C. Arntzen]

On Fri, Jul 13, 2001 at 01:08:26PM -0000, [EMAIL PROTECTED] wrote:
> From:             [EMAIL PROTECTED]
> Operating system: RedHat Linux 7.1 (Intel)
> PHP version:      4.0.6
> PHP Bug Type:     Reproducible crash
> Bug description:  iptcparse crashes with one specific PhotoCD file

    patch attached -  btw: there is no valid IPTC in this file;-)

    tc
> 
> I have one PCD (Kodak PhotoCD) file which crashes PHP when I run iptcparse
> on its contents.
> 
> The error message is "FATAL:  emalloc():  Unable to allocate -4095
> bytes".
> 
> Unfortunately, I wasn't able to produce a core file (probably too dumb to
> configure with --enable-debug). PHP was configured "plain" (just
> "./configure", "make", "make install").
> 
> I can reproduce this crash with PHP 4.0.2-dev and 3.0.13-dev (error message
> here: "FATAL:  emalloc():  Unable to allocate 4294963201 bytes") under
> Solaris, and with an older PHP 4 under RedHat Linux 6.2.
> 
> Hundreds of other PCD files work fine, some of them bigger than my example
> file.
> 
> You can download this PCD file from http://www.digicol.de/crash.html (it's
> nearly 5 MB).
> 
> This is how you can reproduce the crash:
> ==============================================
> [tim@dhcp5 tim]$ ll
> insgesamt 7896
> -rw-rw-r--    1 tim      tim       4898816 Jun 22 11:48 crash.pcd
> -rw-rw-r--    1 tim      tim           510 Jun 22 12:06
> iptcparse-crash.php
> [tim@dhcp5 tim]$ cat iptcparse-crash.php
> <?php
> 
> if (! isset($argv[ 1 ]))
>   { echo "Usage: php iptcparse-crash.php <filename>\n";
>         exit;
>   }
> 
> $filename = $argv[ 1 ];
> 
> $buffer = "";
> 
> getimagesize($filename,&$info);
> 
> if (isset($info[ "APP13" ]))
>   $buffer = $info[ "APP13" ];
> else
>   { $fp = fopen($filename,"r");
>         if ($fp)
>           { $buffer = fread($fp,filesize($filename));
>                 fclose($fp);
>           }
>   }
> 
> $ok = 0;
> 
> if ($buffer != "")
>   { echo "before iptcparse() ...\n";
>         $iptc = iptcparse($buffer);
>         echo "... after iptcparse()\n";
>   }
> 
> ?>
> [tim@dhcp5 tim]$ php -v
> 4.0.6
> [tim@dhcp5 tim]$ php -q iptcparse-crash.php crash.pcd
> before iptcparse() ...
> FATAL:  emalloc():  Unable to allocate -4095 bytes
> ==============================================
> 
> -- 
> Edit bug report at: http://bugs.php.net/?id=12141&edit=1
> 
> 
> -- 
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 

Index: iptc.c
===================================================================
RCS file: /repository/php4/ext/standard/iptc.c,v
retrieving revision 1.29
diff -u -r1.29 iptc.c
--- iptc.c      6 Jun 2001 13:05:51 -0000       1.29
+++ iptc.c      13 Jul 2001 14:33:53 -0000
@@ -351,7 +351,7 @@
 
                sprintf(key,"%d#%03d",(unsigned int) dataset,(unsigned int) recnum);
 
-               if ((inx + len) > length)
+               if ((len > length) || (inx + len) > length)
                        break;
 
                if (tagsfound == 0) { /* found the 1st tag - initialize the return 
array */


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]