diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-07-18 23:21:51 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-07-18 23:21:51 -0700 |
| commit | 41131cd41d2fd2e0c2f332a27988df75659c42e4 (patch) | |
| tree | 56675f79699a3ee3fbca2830271f6714614deceb /ext/exif | |
| parent | f3feddb5b45b5abd93abb1a95044b7e099d51c84 (diff) | |
| download | php-git-41131cd41d2fd2e0c2f332a27988df75659c42e4.tar.gz | |
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Diffstat (limited to 'ext/exif')
| -rw-r--r-- | ext/exif/exif.c | 17 | ||||
| -rw-r--r-- | ext/exif/tests/bug72618.jpg | bin | 0 -> 3711 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug72618.phpt | 11 |
3 files changed, 22 insertions, 6 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 760e7460c3..74b652b3eb 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = NULL; /* Copy the comment */ if (ByteCount>=8) { + const zend_encoding *from, *to; if (!memcmp(szValuePtr, "UNICODE\0", 8)) { *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; @@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } else { decode = ImageInfo->decode_unicode_le; } + to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC); + from = zend_multibyte_fetch_encoding(decode TSRMLS_CC); /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ - if (zend_multibyte_encoding_converter( + if (!to || !from || zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), - zend_multibyte_fetch_encoding(decode TSRMLS_CC) + to, + from TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } @@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP szValuePtr = szValuePtr+8; ByteCount -= 8; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ - if (zend_multibyte_encoding_converter( + to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC); + from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC); + if (!to || !from || zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), - zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) + to, + from TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } diff --git a/ext/exif/tests/bug72618.jpg b/ext/exif/tests/bug72618.jpg Binary files differnew file mode 100644 index 0000000000..0a61ae2e02 --- /dev/null +++ b/ext/exif/tests/bug72618.jpg diff --git a/ext/exif/tests/bug72618.phpt b/ext/exif/tests/bug72618.phpt new file mode 100644 index 0000000000..424c0ec402 --- /dev/null +++ b/ext/exif/tests/bug72618.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug 72618 (NULL Pointer Dereference in exif_process_user_comment) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72618.jpg"))); +?> +--EXPECTF-- +Warning: exif_read_data(bug72618.jpg): IFD data bad offset: 0x058E length 0x0030 in %s/bug72618.php on line %d +int(13)
\ No newline at end of file |
