From d44a3839861113dee10c7041d589096b82f23cc5 Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipensp@gmail.com>
Date: Sun, 29 Apr 2012 19:12:12 -0300
Subject: [PATCH] - Added missing bound check in iptcparse() (path by chris at
 chiappa.net)

---
 ext/standard/iptc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index efd4e44125f..d1cf42f2d25 100644
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -342,13 +342,13 @@ PHP_FUNCTION(iptcparse)
 			len = (((unsigned short) buffer[ inx ])<<8) | (unsigned short)buffer[ inx+1 ];
 			inx += 2;
 		}
-
-		snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
-
-		if ((len > str_len) || (inx + len) > str_len) {
+		
+		if ((len < 0) || (len > str_len) || (inx + len) > str_len) {
 			break;
 		}
 
+		snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
+
 		if (tagsfound == 0) { /* found the 1st tag - initialize the return array */
 			array_init(return_value);
 		}