diff options
| author | Pierre Joye <pajoye@php.net> | 2009-05-28 13:48:32 +0000 |
|---|---|---|
| committer | Pierre Joye <pajoye@php.net> | 2009-05-28 13:48:32 +0000 |
| commit | f002287eb39a9888bb453d6c1e5b56e7322071fb (patch) | |
| tree | 8e4cfc65ba577029f2be763a332fb63407ca10dd /ext | |
| parent | 23a25db653bd68632dd9a8a877544b5ee8c912ac (diff) | |
| download | php-git-f002287eb39a9888bb453d6c1e5b56e7322071fb.tar.gz | |
- MFH: #48378, exif_read_data() segfaults on certain corrupted .jpeg files
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/exif/exif.c | 4 | ||||
| -rw-r--r-- | ext/exif/tests/bug48378.jpeg | bin | 0 -> 2566 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug48378.phpt | 19 |
3 files changed, 23 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 7f6744348e..ed68af067f 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3210,6 +3210,10 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } + if (offset_of_ifd > length) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start"); + return; + } ImageInfo->sections_found |= FOUND_IFD0; /* First directory starts at offset 8. Offsets starts at 0. */ diff --git a/ext/exif/tests/bug48378.jpeg b/ext/exif/tests/bug48378.jpeg Binary files differnew file mode 100644 index 0000000000..759d805709 --- /dev/null +++ b/ext/exif/tests/bug48378.jpeg diff --git a/ext/exif/tests/bug48378.phpt b/ext/exif/tests/bug48378.phpt new file mode 100644 index 0000000000..286ce61073 --- /dev/null +++ b/ext/exif/tests/bug48378.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #48378 (Infinite recursion due to corrupt JPEG) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +exif_read_data( +dirname(__FILE__) . "/bug48378.jpeg", +"FILE,COMPUTED,ANY_TAG" +); +?> +--EXPECTF-- +Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d + +Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d + +Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d + + |
