Merged PR #293 (Exif crash on unknown encoding was fixed)

By:
	Draal
Conflicts:
	configure.in
	main/php_version.h

3 files changed, 21 insertions, 5 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index bd646d9adf..2fe54f7b31 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			} else {
 				decode = ImageInfo->decode_unicode_le;
 			}
+			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 			if (zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
@@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 					ByteCount,
 					zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 					zend_multibyte_fetch_encoding(decode TSRMLS_CC)
-					TSRMLS_CC) < 0) {
+					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			*pszEncoding = estrdup((const char*)szValuePtr);
 			szValuePtr = szValuePtr+8;
 			ByteCount -= 8;
+			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 			if (zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
@@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 					ByteCount,
 					zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
 					zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
-					TSRMLS_CC) < 0) {
+					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;	
-
-	/* Copy the comment */
+	
+	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value, 
 			&xp_field->size, 
@@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi
 			ByteCount,
 			zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 			zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
-			TSRMLS_CC) < 0) {
+			TSRMLS_CC) == (size_t)-1) {
 		xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
 	}
 	return xp_field->size;
diff --git a/ext/exif/tests/exif_encoding_crash.jpg b/ext/exif/tests/exif_encoding_crash.jpg
new file mode 100644
index 0000000000..55138abe55
--- /dev/null
+++ b/ext/exif/tests/exif_encoding_crash.jpg
diff --git a/ext/exif/tests/exif_encoding_crash.phpt b/ext/exif/tests/exif_encoding_crash.phpt
new file mode 100644
index 0000000000..1c4ad63860
--- /dev/null
+++ b/ext/exif/tests/exif_encoding_crash.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP crash when zend_multibyte_encoding_converter returns (size_t)-1)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/exif_encoding_crash.jpg';
+$exif_data = exif_read_data($infile);
+echo "*** no core dump ***\n";
+?>
+===DONE===
+--EXPECT--
+*** no core dump ***
+===DONE===