summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Zmievski <andrei@php.net>2005-01-22 00:01:33 +0000
committerAndrei Zmievski <andrei@php.net>2005-01-22 00:01:33 +0000
commitecb9f8668db5cc05734aa77b406028ca38ae2284 (patch)
tree505854e7dfaae7efb7793c6cfbca03ee785f28b8
parent581265f4d19ae5433e6d5f762912b68531e7a7b6 (diff)
downloadphp-git-ecb9f8668db5cc05734aa77b406028ca38ae2284.tar.gz
MFB (bugfix for 24851)
Diffstat
-rw-r--r--ext/exif/exif.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 034f1fb635..ed47a9601a 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -93,12 +93,13 @@ typedef unsigned char uchar;
#define EFREE_IF(ptr) if (ptr) efree(ptr)
+#define MAX_IFD_NESTING_LEVEL 5
+
static
ZEND_BEGIN_ARG_INFO(exif_thumbnail_force_ref, 1)
ZEND_ARG_PASS_INFO(0)
ZEND_END_ARG_INFO();
-
/* {{{ exif_functions[]
*/
function_entry exif_functions[] = {
@@ -1442,6 +1443,7 @@ typedef struct {
/* for parsing */
int read_thumbnail;
int read_all;
+ int ifd_nesting_level;
/* internal */
file_section_list file;
} image_info_type;
@@ -2711,6 +2713,13 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
size_t byte_count, offset_val, fpos, fgot;
xp_field_type *tmp_xp;
+ /* Protect against corrupt headers */
+ if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+ exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached");
+ return FALSE;
+ }
+ ImageInfo->ifd_nesting_level++;
+
tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
@@ -3739,6 +3748,8 @@ static int exif_read_file(image_info_type *ImageInfo, char *FileName, int read_t
}
}
+ ImageInfo->ifd_nesting_level = 0;
+
/* Scan the JPEG headers. */
ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);
View Lorry Controller Status