Different manufacturer models may come with a
different endianness (motorola/intel) format. In
order to avoid a big refactor and a gigantic lookup
table, this commit simply attempts to switch the
endianness and proceed when values are acceptable.
Closes GH-5849.
Even if the length of a maker note does not match our expectations
(either because the maker note is corrupted, or because our
expectations do not quite match reality), there is no need to let
parsing fail; we can still go on parsing the other meta information.
Use convert_any_int instead of convert_any_format to directly get
an integer.
Also adjust SRATIONAL handling to not go through a double division.
This was introduced to avoid SIGFPE for the INT_MIN / -1 case,
but we can just handle that explicitly.
exif_process_IFD_TAG() currently accepts a dir_entry, offset_base
and IFDlength. However, it's very hard to follow how these values
are related to each other and the addressable memory region. As we
add additional bounds check, this gets further confused.
One of the basic cases is where dir_entry is in
[offset_base, offset_base+IFDlength), in which case the memory
[dir_entry, offset_base+IFDlength) is valid, but the memory
[offset_base, dir_entry) is not necessarily valid. I wasn't able
to understand what exactly is valid if dir_entry is outside
[offset_base, offset_base+IFDlength)
This patch changes everything to use a struct that separately stores
offset_base and the valid memory region and adds helpers to fetch
offsets and check that pointers are in-bounds.
Closes GH-5068.
* PHP-7.4:
Fix test
Fix bug #78793
Fix build - no model field anymore
Fixed bug #78910Fix#78878: Buffer underflow in bc_shift_addsub
Fix test
Fix#78862: link() silently truncates after a null byte on Windows
Fix#78863: DirectoryIterator class silently truncates after a null byte
Fix#78943: mail() may release string with refcount==1 twice
* PHP-7.3:
Fixed bug #78910Fix#78878: Buffer underflow in bc_shift_addsub
Fix test
Fix#78862: link() silently truncates after a null byte on Windows
Fix#78863: DirectoryIterator class silently truncates after a null byte
Fix#78943: mail() may release string with refcount==1 twice
* PHP-7.2:
Fixed bug #78910Fix#78878: Buffer underflow in bc_shift_addsub
Fix test
Fix#78862: link() silently truncates after a null byte on Windows
Fix#78863: DirectoryIterator class silently truncates after a null byte
Emitting errors is fairly expensive, to the point that parsing
a file with a huge number of invalid tags can take seconds.
Generating ten thousand errors is unlikely to help anybody, but
constitutes a potential DOS vector.
