archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merged PR #293 (Exif crash on unknown encoding was fixed)

Browse source 
By:
	Draal
Conflicts:
	configure.in
	main/php_version.h
This commit is contained in:
Michael Wallner 2013-10-21 21:48:27 +02:00
parent 2ecf94e07e
commit 1b43f95040
3 changed files with 21 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
ext/exif/exif.c
View file

@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
} else {
decode = ImageInfo->decode_unicode_le;
}
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
zend_multibyte_fetch_encoding(decode TSRMLS_CC)
TSRMLS_CC) < 0) {
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
return len;
@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
TSRMLS_CC) < 0) {
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
return len;
@ -2701,7 +2703,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi
{
xp_field->tag = tag;
/* Copy the comment */
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)&xp_field->value,
&xp_field->size,
@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
TSRMLS_CC) < 0) {
TSRMLS_CC) == (size_t)-1) {
xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
}
return xp_field->size;

BIN
ext/exif/tests/exif_encoding_crash.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.4 KiB

14
ext/exif/tests/exif_encoding_crash.phpt Normal file
View file

@ -0,0 +1,14 @@
--TEST--
PHP crash when zend_multibyte_encoding_converter returns (size_t)-1)
--SKIPIF--
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
--FILE--
<?php
$infile = dirname(__FILE__).'/exif_encoding_crash.jpg';
$exif_data = exif_read_data($infile);
echo "*** no core dump ***\n";
?>
===DONE===
--EXPECT--
*** no core dump ***
===DONE===