diff options
| author | Felipe Pena <felipensp@gmail.com> | 2012-04-29 19:12:12 -0300 |
|---|---|---|
| committer | Felipe Pena <felipensp@gmail.com> | 2012-04-29 19:12:12 -0300 |
| commit | d44a3839861113dee10c7041d589096b82f23cc5 (patch) | |
| tree | 3613cb79aed5c72f7579db4db89ebc4fc579e073 | |
| parent | dc6d283b1c277c2c99a794d17a2e2540a9f2e60e (diff) | |
| download | php-git-d44a3839861113dee10c7041d589096b82f23cc5.tar.gz | |
- Added missing bound check in iptcparse() (path by chris at chiappa.net)
| -rw-r--r-- | ext/standard/iptc.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index efd4e44125..d1cf42f2d2 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -342,13 +342,13 @@ PHP_FUNCTION(iptcparse) len = (((unsigned short) buffer[ inx ])<<8) | (unsigned short)buffer[ inx+1 ]; inx += 2; } - - snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum); - - if ((len > str_len) || (inx + len) > str_len) { + + if ((len < 0) || (len > str_len) || (inx + len) > str_len) { break; } + snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum); + if (tagsfound == 0) { /* found the 1st tag - initialize the return array */ array_init(return_value); } |