* PHP-7.1:
Fix bug #73737 FPE when parsing a tag format
Fix bug #73773 - Seg fault when loading hostile phar
Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
Fix bug #73768 - Memory corruption when loading hostile phar
Fix int overflows in phar (bug #73764)
* PHP-7.0:
Fix bug #73737 FPE when parsing a tag format
Fix bug #73773 - Seg fault when loading hostile phar
Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
Fix bug #73768 - Memory corruption when loading hostile phar
Fix int overflows in phar (bug #73764)
* PHP-5.6:
Fix bug #73737 FPE when parsing a tag format
Fix bug #73773 - Seg fault when loading hostile phar
Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
Fix bug #73768 - Memory corruption when loading hostile phar
Fix int overflows in phar (bug #73764)
* PHP-7.0: (34 commits)
Fix URL rewriter partially
Support "git worktree"
Add NEWS
Fix ASSERT logic
Bugfix 72791: fix memory leak in PDO persistent connections
Don't copy mime types in CLI server
Remove obsolete Id tags
Bump version in OCI8 test
Fixed bug #72788 (Invalid memory access when using persistent PDO connection)
Remove typo'd commit
Fix bug 72788: Invalid memory access when database_object_handle is undefined. Also fix memory leak in dbh_free when using persistent PDO connections.
Replace dead branch with ZEND_ASSERT()
Add test for bug #69107: finfo no longer detects PHP files
Fix bug #55451
Fix stream_socket_enable_crypto() test
Remove old $Id$ tags
Sync with 7.1 branch changes from Nikita & Dimitri to keep OCI8 code identical
Fix bug #72524 (Binding null values triggers ORA-24816 error)
Fix the fix (Nikita), thanks!
Check the return value of dbconvert() in mssql_guid_string(), as it may return -1 in case the conversion failed. In that case false is returned.
...
Conflicts:
ext/standard/ftp_fopen_wrapper.c
Unlike the original patch, this does not return an unknown format in case an unsigned compatible type cannot be found (cases for SINGLE and DOUBLE removed), as these seems rare cases according to the inline comments.
Note, the test does not test if PHP is in debug mode, although the report originally states it only occurs there only.
The fix is based on a patch by hlt99 at blinkenshell dot org
This patch changes processing a little and causes some crafted tags to not be parsed and generate a warning.
This is a slight BC break from earlier versions, since it will no longer return the tags of that it was mismatching (see bug68799.phpt), namely the "WINXP" section and the "Author" tag is no longer returned due to this. Although this BC break is merely only for crafted tags, this can also have some real life effects on pictures re-saved from editors that can cause bad exif data writes, so lets keep it here.
Sony is a little more interesting, as it is have a large range of tags it support in different models. For now I have added all the tags found within the Exif.Sony1 namespace.
Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE.
The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature.
This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further.
Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE.
The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature.
This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further.
(cherry picked from commit aabcb5481d)
Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE.
The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature.
This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further.
There are two factors for this bug fix:
- First of all, the maximum nesting level has been increased to 150 (previously 100), I'm not sure how much an impact this will have, but increasing this value also seems to resolve PHP bug #66443 (Corrupt EXIF header: maximum directory nesting level reached for some cameras.)
- Second, this adds support for most common Panasonic EXIF tags, again this list is based off the Exiv2 website
Note about Panasonic's format:
From what I could find, then the offset was always 12 bytes for such, the signature always had the 'P' capitalized, and the rest lower cased, followed by 3 NULL bytes
@Remi, can you review this? I'm gonna look into Sony (which is huge btw!) and your patch next
It seems like there is no maker data for "Samsung", this causes the IDF tag parsing to fail, and it bails early on, despite there still is valid remaining data in image, such as the thumbnail data as reported in the bug.
I used the Exiv2 website as a reference guide for tags that's specific to Samsung's EXIF data, which should also mean that we will be able to name some of those tags more specifically now.
I have chosen again not to commit this to other branches, simply because I'm not 100% sure on the byte order and offsets for Samsung, I did some research and it seems like there are many variants, but this (very copy/pasted), entry works for this particular image and does not break any other tests. This does add a new feature I suppose, while also fixing a bug, but I will leave it to the other branch RMs to decide on how far down they will want to merge this.
This reverts commit 406dff2a02.
This seems to break more than expected and other tests seems to fail:
- bug60150.phpt
- bug62523_2.phpt
- bug72603.phpt
- bug72618.phpt
I'm gonna go do around of thinking and see if I can come up with a better fix
This fix is only committed to master for now. I'm no exif expert on this matter, so someone else might want to take a look over this and merge as wanted in case this will break something.
In exif_process_IFD_in_JPEG() we loop over the tag entries and try to process the IFD tag, this is fine and all, however in case one fail to process correctly, the entire routine is aborted, which means that other possible data, such as the thumbnail data as reported in #72735 may not be read, despite it is there, perfectly valid.
Also, big props to whoever added EXIF_DEBUG, this rocks!
* PHP-7.0: (27 commits)
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not allow reading past error read
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
update NEWS
Fixed bug #72570 Segmentation fault when binding parameters on a query without placeholders
Fix bug #72562 - destroy var_hash properly
Fix bug #72551 and bug #72552 - check before converting size_t->int
Fix bug #72541 - size_t overflow lead to heap corruption
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
...
Conflicts:
ext/standard/basic_functions.c
* PHP-5.6:
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
5.6.24RC1
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
Zend/zend_virtual_cwd.c
ext/bz2/bz2.c
ext/exif/exif.c
ext/session/session.c
ext/snmp/snmp.c
ext/standard/basic_functions.c
main/SAPI.c
main/php_variables.c
* PHP-5.5:
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
ext/bz2/bz2.c
main/SAPI.c
main/php_variables.c
