Commit:1b43f9504020a1fa607eb58b81defaba9d8cfd6b
Author:Michael Wallner m...@php.net Mon, 21 Oct 2013 21:48:27
+0200
Parents: 2ecf94e07efae6059e40069a7c1a895514c24466
Branches: PHP-5.4 PHP-5.5 master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=1b43f9504020a1fa607eb58b81defaba9d8cfd6b
Log:
Merged PR #293 (Exif crash on unknown encoding was fixed)
By:
Draal
Conflicts:
configure.in
main/php_version.h
Bugs:
https://bugs.php.net/293
Changed paths:
M ext/exif/exif.c
A ext/exif/tests/exif_encoding_crash.jpg
A ext/exif/tests/exif_encoding_crash.phpt
Diff:
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index bd646d9..2fe54f7 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type
*ImageInfo, char **pszInfoP
} else {
decode = ImageInfo-decode_unicode_le;
}
+ /* XXX this will fail again if encoding_converter
returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
len,
@@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type
*ImageInfo, char **pszInfoP
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo-encode_unicode TSRMLS_CC),
zend_multibyte_fetch_encoding(decode
TSRMLS_CC)
- TSRMLS_CC) 0) {
+ TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr,
szValuePtr, ByteCount);
}
return len;
@@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type
*ImageInfo, char **pszInfoP
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
ByteCount -= 8;
+ /* XXX this will fail again if encoding_converter
returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
len,
@@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type
*ImageInfo, char **pszInfoP
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo-encode_jis TSRMLS_CC),
zend_multibyte_fetch_encoding(ImageInfo-motorola_intel ?
ImageInfo-decode_jis_be : ImageInfo-decode_jis_le TSRMLS_CC)
- TSRMLS_CC) 0) {
+ TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr,
szValuePtr, ByteCount);
}
return len;
@@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type
*ImageInfo, char **pszInfoP
static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type
*xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
{
xp_field-tag = tag;
-
- /* Copy the comment */
+
+ /* XXX this will fail again if encoding_converter returns on error
something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)xp_field-value,
xp_field-size,
@@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type
*ImageInfo, xp_field_type *xp_fi
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo-encode_unicode
TSRMLS_CC),
zend_multibyte_fetch_encoding(ImageInfo-motorola_intel
? ImageInfo-decode_unicode_be : ImageInfo-decode_unicode_le TSRMLS_CC)
- TSRMLS_CC) 0) {
+ TSRMLS_CC) == (size_t)-1) {
xp_field-size = exif_process_string_raw(xp_field-value,
szValuePtr, ByteCount);
}
return xp_field-size;
diff --git a/ext/exif/tests/exif_encoding_crash.jpg
b/ext/exif/tests/exif_encoding_crash.jpg
new file mode 100644
index 000..55138ab
Binary files /dev/null and b/ext/exif/tests/exif_encoding_crash.jpg differ
diff --git a/ext/exif/tests/exif_encoding_crash.phpt
b/ext/exif/tests/exif_encoding_crash.phpt
new file mode 100644
index 000..1c4ad63
--- /dev/null
+++ b/ext/exif/tests/exif_encoding_crash.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP crash when zend_multibyte_encoding_converter returns (size_t)-1)
+--SKIPIF--
+?php if (!extension_loaded('exif')) print 'skip exif extension not