diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-06-30 16:29:29 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2018-06-30 16:29:30 +0200 |
commit | ae04110032702622d59c21f9e615120d9479157a (patch) | |
tree | 3990f71362820f2479eaed364d5546d4be723c73 | |
parent | 962706d16c29ec6dd5ec3a78edae9e8907bca20a (diff) | |
download | php-git-ae04110032702622d59c21f9e615120d9479157a.tar.gz |
Fix #71848: getimagesize with $imageinfo returns false
Some JFIF images contain empty APP segments, i.e. those which consist
only of the marker bytes and the length, but without actual content.
It appears to be doubtful to have empty APP segments, but we should
apply the robustness principle, and accept these, instead of simply
failing in this case.
We choose to add empty APP segments to $imageinfo with an empty string
as value, instead of NULL, or even to omit these segments altogether.
This patch also fixes the potential issue that php_stream_read() might
not read the supposed number of bytes, which could result in garbage to
be added to the read value.
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/standard/image.c | 2 | ||||
-rw-r--r-- | ext/standard/tests/image/bug71848.jpg | bin | 0 -> 699 bytes | |||
-rw-r--r-- | ext/standard/tests/image/bug71848.phpt | 32 |
4 files changed, 34 insertions, 1 deletions
@@ -32,6 +32,7 @@ PHP NEWS - Standard: . Fixed bug #76505 (array_merge_recursive() is duplicating sub-array keys). (Laruence) + . Fixed bug #71848 (getimagesize with $imageinfo returns false). (cmb) 22 Jun 2019, PHP 7.1.19 diff --git a/ext/standard/image.c b/ext/standard/image.c index 722497f5e8..395063abb7 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -453,7 +453,7 @@ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info) buffer = emalloc(length); - if (php_stream_read(stream, buffer, (zend_long) length) <= 0) { + if (php_stream_read(stream, buffer, (zend_long) length) != length) { efree(buffer); return 0; } diff --git a/ext/standard/tests/image/bug71848.jpg b/ext/standard/tests/image/bug71848.jpg Binary files differnew file mode 100644 index 0000000000..9588dbe00b --- /dev/null +++ b/ext/standard/tests/image/bug71848.jpg diff --git a/ext/standard/tests/image/bug71848.phpt b/ext/standard/tests/image/bug71848.phpt new file mode 100644 index 0000000000..d96ac1c537 --- /dev/null +++ b/ext/standard/tests/image/bug71848.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #71848 (getimagesize with $imageinfo returns false) +--FILE-- +<?php +var_dump(getimagesize(__DIR__ . '/bug71848.jpg', $info)); +var_dump(array_keys($info)); +?> +===DONE=== +--EXPECT-- +array(7) { + [0]=> + int(8) + [1]=> + int(8) + [2]=> + int(2) + [3]=> + string(20) "width="8" height="8"" + ["bits"]=> + int(8) + ["channels"]=> + int(3) + ["mime"]=> + string(10) "image/jpeg" +} +array(2) { + [0]=> + string(4) "APP0" + [1]=> + string(4) "APP5" +} +===DONE=== |