From 1b43f9504020a1fa607eb58b81defaba9d8cfd6b Mon Sep 17 00:00:00 2001 From: Michael Wallner Date: Mon, 21 Oct 2013 21:48:27 +0200 Subject: [PATCH] Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h --- ext/exif/exif.c | 12 +++++++----- ext/exif/tests/exif_encoding_crash.jpg | Bin 0 -> 7599 bytes ext/exif/tests/exif_encoding_crash.phpt | 14 ++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 ext/exif/tests/exif_encoding_crash.jpg create mode 100644 ext/exif/tests/exif_encoding_crash.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index bd646d9adf1..2fe54f7b31c 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } else { decode = ImageInfo->decode_unicode_le; } + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, @@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), zend_multibyte_fetch_encoding(decode TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; ByteCount -= 8; + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, @@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - - /* Copy the comment */ + + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, &xp_field->size, @@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount); } return xp_field->size; diff --git a/ext/exif/tests/exif_encoding_crash.jpg b/ext/exif/tests/exif_encoding_crash.jpg new file mode 100644 index 0000000000000000000000000000000000000000..55138abe55210de94674b32ad39676608e88b3ab GIT binary patch literal 7599 zcmeHMTW}Lq7(Sa#nlvrYlyVUnUCJeep-r-Ffvjn;qy&ogLRu~OWSVT7we4=$-I}yB zK7bd{@u7`(24{d)MIW321yN^I6a{<(Z-72n@A4wx-O-8vIoWK|(jrmu#hmPE{`2pD zzW@Kf^Y58%PV#i}Q&h6S-{?mawB^)tgpy-L53Y?1T?jQbp=Agm3o4>!AOlFH&=XV% zk*y$)Ql*H7Zwfw$nukn8M(BC!T3tRwRcJPVK)J}=>%i_ciY0Ox$e$QyW^lF($e6;R zxLvz2GTH$BJap9DcvDL=<7)}Dwgl?i8(W$+O@rGBcX9M267pRimO6Q+H6p2!5|N^e zuWbcW(IJRoDW)t%tkYG^Ia$uRiorrP$GQ>oFMS}2CEIqU8K5oOp48=%9pzf4z}pVH zCWjFkLdXpBj82wy4bf?4=($5iU0yy+rEDkz4aOpAl z9L)w+eR|k(Wr)rGafbSF-J#D8h$0{3p5$q zr}M>fI$taoX4zP?BcZa$93QVj9LVG3?I%;V74LAUC)Q_HwmuG$S(rk=8N2;FcD zQa*(ca~L7h37Cr;U~N2rP?-&6{3KAou7NTTAJ`8y{~Y`UHu5dcK%Rj-19=AW4CER3 ze=?99o3SsVs!`725S6MR{-3rgB=tGs!KlMk<#Zs=>UcC5>fu$UlkXP9I{SC8zHVoP zaGkxQw#nHP_3;s5{h-XZ4K}xj275y8uzj`H>WOplzGxq>2AOzYuc&bGIy(X9K*nl^ zogpS_Po2H7FWAj<9DXTim!w|CUB$9?z>vdTT%f_PA;754u7w(l#j0Y}Rg&E8aJk)X zhm&=%Y$aG!Dg&Y#j8}@vLO`%G1fzjhLb4E51xaKuX0TK0SL^I{E2Ba4;918WM+3e? zcmOnp@!%onllr2P$cw7tlf*8eyI&4sXl#)3*T!!lgVd;3@VYz>>=z_#qpR7;)zy=$ zo#WK0f#%8M_^ZG&k;}ZI@ZmLrsLorq>|25VA|nCy*^>HuhS>DN{WCz31YW5?d*~p(KY^)OLlptgG4Zx?J^^cajsudAjm+<-|Zv#`)^X)0GngIT`1x zD^FKW4CG||-&9xTt(zC&RXYan)X9&L4}Qm|@TE1{MB`RqG}0z>f!U0^rLd^bVzFAx zX6rPowWt`Hxp4Z7X~omAj6v{pJPWR3i`jxLa%;&qkj(&hm7DW5to5&3-?*Wz{gzuh zHf_Ew6z03SBf=eu+J9#(J}`LqJ@?+XeaHO|Bp!PBkw+hU{E3}=M@FA|`k8&tK6l`S z7Y`nK>F~?1y!qDAx8FH-{KUJb-h2Op4?jA6=Iq#KpMUY?S6_eg?YRpVzyIOKpML)3 z*WYknaAK57OV4aVUN(HZ0&8G2ntj!;b6!{+t6zC$M1U|sGyT){scQ3 BQ}O@+ literal 0 HcmV?d00001 diff --git a/ext/exif/tests/exif_encoding_crash.phpt b/ext/exif/tests/exif_encoding_crash.phpt new file mode 100644 index 00000000000..1c4ad638603 --- /dev/null +++ b/ext/exif/tests/exif_encoding_crash.phpt @@ -0,0 +1,14 @@ +--TEST-- +PHP crash when zend_multibyte_encoding_converter returns (size_t)-1) +--SKIPIF-- + +--FILE-- + +===DONE=== +--EXPECT-- +*** no core dump *** +===DONE===