[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/exif/exif.c trunk/ext/exif/exif.c
iliaaTue, 12 Apr 2011 18:33:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=310167 Log: Fixed bug #54121 (error message format string typo). Bug: http://bugs.php.net/54121 (Open) php: exif error message format string typo Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/exif/exif.c U php/php-src/trunk/ext/exif/exif.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2011-04-12 17:30:42 UTC (rev 310166) +++ php/php-src/branches/PHP_5_3/NEWS 2011-04-12 18:33:08 UTC (rev 310167) @@ -34,6 +34,9 @@ - DBA extension: . Fixed bug #54242 (dba_insert returns true if key already exists). (Felipe) +- Exif extesion: + . Fixed bug #54121 (error message format string typo). (Ilia) + - Filter extension: . Fixed bug #53037 (FILTER_FLAG_EMPTY_STRING_NULL is not implemented). (Ilia) Modified: php/php-src/branches/PHP_5_3/ext/exif/exif.c === --- php/php-src/branches/PHP_5_3/ext/exif/exif.c2011-04-12 17:30:42 UTC (rev 310166) +++ php/php-src/branches/PHP_5_3/ext/exif/exif.c2011-04-12 18:33:08 UTC (rev 310167) @@ -2909,7 +2909,7 @@ fgot = php_stream_tell(ImageInfo-infile); if (fgot!=offset_val) { EFREE_IF(outside); - exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Wrong file pointer: 0x%08X != 0x08X, fgot, offset_val); + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Wrong file pointer: 0x%08X != 0x%08X, fgot, offset_val); return FALSE; } fgot = php_stream_read(ImageInfo-infile, value_ptr, byte_count); Modified: php/php-src/trunk/ext/exif/exif.c === --- php/php-src/trunk/ext/exif/exif.c 2011-04-12 17:30:42 UTC (rev 310166) +++ php/php-src/trunk/ext/exif/exif.c 2011-04-12 18:33:08 UTC (rev 310167) @@ -2905,7 +2905,7 @@ fgot = php_stream_tell(ImageInfo-infile); if (fgot!=offset_val) { EFREE_IF(outside); - exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Wrong file pointer: 0x%08X != 0x08X, fgot, offset_val); + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Wrong file pointer: 0x%08X != 0x%08X, fgot, offset_val); return FALSE; } fgot = php_stream_read(ImageInfo-infile, value_ptr, byte_count); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/exif/exif.c trunk/ext/exif/exif.c
Please commit fixes to all branches in one single commit. --Jani On 08/16/2009 05:32 PM, Ilia Alshanetsky wrote: iliaaSun, 16 Aug 2009 14:32:32 + Revision: http://svn.php.net/viewvc?view=revisionrevision=287372 Log: MFB: Added missing sanity checks around exif processing. Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/exif/exif.c U php/php-src/trunk/ext/exif/exif.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2009-08-16 14:31:27 UTC (rev 287371) +++ php/php-src/branches/PHP_5_3/NEWS 2009-08-16 14:32:32 UTC (rev 287372) @@ -1,6 +1,7 @@ PHP NEWS ||| ?? ??? 2009, PHP 5.3.1 +- Added missing sanity checks around exif processing. (Ilia) - Upgraded bundled sqlite to version 3.6.17. (Scott) - Improved dns_get_record support on windows. Always available when IPv6 is Modified: php/php-src/branches/PHP_5_3/ext/exif/exif.c === --- php/php-src/branches/PHP_5_3/ext/exif/exif.c2009-08-16 14:31:27 UTC (rev 287371) +++ php/php-src/branches/PHP_5_3/ext/exif/exif.c2009-08-16 14:32:32 UTC (rev 287372) @@ -3238,7 +3238,7 @@ { /* Check the APP1 for Exif Identifier Code */ static const uchar ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; - if (memcmp(CharBuf+2, ExifHeader, 6)) { + if (length= 8 || memcmp(CharBuf+2, ExifHeader, 6)) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Incorrect APP1 Exif Identifier Code); return; } @@ -3321,8 +3321,14 @@ } /* Read the length of the section. */ - lh = php_stream_getc(ImageInfo-infile); - ll = php_stream_getc(ImageInfo-infile); + if ((lh = php_stream_getc(ImageInfo-infile)) == EOF) { + EXIF_ERRLOG_CORRUPT(ImageInfo) + return FALSE; + } + if ((ll = php_stream_getc(ImageInfo-infile)) == EOF) { + EXIF_ERRLOG_CORRUPT(ImageInfo) + return FALSE; + } itemlen = (lh 8) | ll; @@ -3522,6 +3528,10 @@ int entry_tag , entry_type; tag_table_type tag_table = exif_get_tag_table(section_index); + if (ImageInfo-ifd_nesting_level MAX_IFD_NESTING_LEVEL) { +return FALSE; +} + if (ImageInfo-FileSize= dir_offset+2) { sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); #ifdef EXIF_DEBUG @@ -3665,6 +3675,7 @@ #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, Next IFD: %s @x%04X, exif_get_sectionname(sub_section_index), entry_offset); #endif + ImageInfo-ifd_nesting_level++; exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC); if (section_index!=SECTION_THUMBNAIL entry_tag==TAG_SUB_IFD) { if (ImageInfo-Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN @@ -3704,6 +3715,7 @@ #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, Read next IFD (THUMBNAIL) at x%04X, next_offset); #endif + ImageInfo-ifd_nesting_level++; exif_process_IFD_in_TIFF(ImageInfo, next_offset, SECTION_THUMBNAIL TSRMLS_CC); #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, %s THUMBNAIL @0x%04X + 0x%04X, ImageInfo-Thumbnail.data ? Ignore : Read, ImageInfo-Thumbnail.offset, ImageInfo-Thumbnail.size); @@ -3776,9 +3788,7 @@ } else { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Invalid TIFF file); } - } - else - if (!memcmp(file_header, MM\x00\x2a, 4)) { + } else if (!memcmp(file_header, MM\x00\x2a, 4)) { ImageInfo-FileType = IMAGE_FILETYPE_TIFF_MM; ImageInfo-motorola_intel = 1; #ifdef EXIF_DEBUG Modified: php/php-src/trunk/ext/exif/exif.c === --- php/php-src/trunk/ext/exif/exif.c 2009-08-16 14:31:27 UTC (rev 287371) +++ php/php-src/trunk/ext/exif/exif.c 2009-08-16
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/exif/exif.c trunk/ext/exif/exif.c
iliaaSun, 16 Aug 2009 14:32:32 + Revision: http://svn.php.net/viewvc?view=revisionrevision=287372 Log: MFB: Added missing sanity checks around exif processing. Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/exif/exif.c U php/php-src/trunk/ext/exif/exif.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2009-08-16 14:31:27 UTC (rev 287371) +++ php/php-src/branches/PHP_5_3/NEWS 2009-08-16 14:32:32 UTC (rev 287372) @@ -1,6 +1,7 @@ PHPNEWS ||| ?? ??? 2009, PHP 5.3.1 +- Added missing sanity checks around exif processing. (Ilia) - Upgraded bundled sqlite to version 3.6.17. (Scott) - Improved dns_get_record support on windows. Always available when IPv6 is Modified: php/php-src/branches/PHP_5_3/ext/exif/exif.c === --- php/php-src/branches/PHP_5_3/ext/exif/exif.c2009-08-16 14:31:27 UTC (rev 287371) +++ php/php-src/branches/PHP_5_3/ext/exif/exif.c2009-08-16 14:32:32 UTC (rev 287372) @@ -3238,7 +3238,7 @@ { /* Check the APP1 for Exif Identifier Code */ static const uchar ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; - if (memcmp(CharBuf+2, ExifHeader, 6)) { + if (length = 8 || memcmp(CharBuf+2, ExifHeader, 6)) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Incorrect APP1 Exif Identifier Code); return; } @@ -3321,8 +3321,14 @@ } /* Read the length of the section. */ - lh = php_stream_getc(ImageInfo-infile); - ll = php_stream_getc(ImageInfo-infile); + if ((lh = php_stream_getc(ImageInfo-infile)) == EOF) { + EXIF_ERRLOG_CORRUPT(ImageInfo) + return FALSE; + } + if ((ll = php_stream_getc(ImageInfo-infile)) == EOF) { + EXIF_ERRLOG_CORRUPT(ImageInfo) + return FALSE; + } itemlen = (lh 8) | ll; @@ -3522,6 +3528,10 @@ int entry_tag , entry_type; tag_table_type tag_table = exif_get_tag_table(section_index); + if (ImageInfo-ifd_nesting_level MAX_IFD_NESTING_LEVEL) { +return FALSE; +} + if (ImageInfo-FileSize = dir_offset+2) { sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); #ifdef EXIF_DEBUG @@ -3665,6 +3675,7 @@ #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, Next IFD: %s @x%04X, exif_get_sectionname(sub_section_index), entry_offset); #endif + ImageInfo-ifd_nesting_level++; exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC); if (section_index!=SECTION_THUMBNAIL entry_tag==TAG_SUB_IFD) { if (ImageInfo-Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN @@ -3704,6 +3715,7 @@ #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, Read next IFD (THUMBNAIL) at x%04X, next_offset); #endif + ImageInfo-ifd_nesting_level++; exif_process_IFD_in_TIFF(ImageInfo, next_offset, SECTION_THUMBNAIL TSRMLS_CC); #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, %s THUMBNAIL @0x%04X + 0x%04X, ImageInfo-Thumbnail.data ? Ignore : Read, ImageInfo-Thumbnail.offset, ImageInfo-Thumbnail.size); @@ -3776,9 +3788,7 @@ } else { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, Invalid TIFF file); } - } - else - if (!memcmp(file_header, MM\x00\x2a, 4)) { + } else if (!memcmp(file_header, MM\x00\x2a, 4)) { ImageInfo-FileType = IMAGE_FILETYPE_TIFF_MM; ImageInfo-motorola_intel = 1; #ifdef EXIF_DEBUG Modified: php/php-src/trunk/ext/exif/exif.c === --- php/php-src/trunk/ext/exif/exif.c 2009-08-16 14:31:27 UTC (rev 287371) +++ php/php-src/trunk/ext/exif/exif.c 2009-08-16 14:32:32 UTC (rev 287372) @@ -3216,7 +3216,7 @@ { /* Check the APP1 for Exif Identifier Code */ static const uchar