diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/exif/exif.c | 4 | ||||
-rw-r--r-- | ext/exif/tests/bug79046.phpt | 33 |
3 files changed, 38 insertions, 2 deletions
@@ -20,6 +20,9 @@ PHP NEWS - CURL: . Fixed bug #79033 (Curl timeout error with specific url and post). (cmb) +- Exif: + . Fixed bug #79046 (NaN to int cast undefined behavior in exif). (Nikita) + - Fileinfo: . Fixed bug #74170 (locale information change after mime_content_type). (Sergei Turchanov) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 4f8b8af719..7bdf2acf1e 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -1699,7 +1699,7 @@ static int exif_rewrite_tag_format_to_unsigned(int format) /* Use saturation for out of bounds values to avoid UB */ static size_t float_to_size_t(float x) { - if (x < 0.0f) { + if (x < 0.0f || zend_isnan(x)) { return 0; } else if (x > (float) SIZE_MAX) { return SIZE_MAX; @@ -1709,7 +1709,7 @@ static size_t float_to_size_t(float x) { } static size_t double_to_size_t(double x) { - if (x < 0.0) { + if (x < 0.0 || zend_isnan(x)) { return 0; } else if (x > (double) SIZE_MAX) { return SIZE_MAX; diff --git a/ext/exif/tests/bug79046.phpt b/ext/exif/tests/bug79046.phpt new file mode 100644 index 0000000000..83955084b0 --- /dev/null +++ b/ext/exif/tests/bug79046.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #79046: NaN to int cast undefined behavior in exif +--FILE-- +<?php +var_dump(exif_read_data('data://image/tiff;base64,TU0AKgAAAA7//wAAANUAAQERAAsAAAABAAD4fwAAAA4A')); +?> +--EXPECT-- +array(8) { + ["FileDateTime"]=> + int(0) + ["FileSize"]=> + int(33) + ["FileType"]=> + int(8) + ["MimeType"]=> + string(10) "image/tiff" + ["SectionsFound"]=> + string(24) "ANY_TAG, IFD0, THUMBNAIL" + ["COMPUTED"]=> + array(2) { + ["IsColor"]=> + int(0) + ["ByteOrderMotorola"]=> + int(1) + } + ["StripOffsets"]=> + float(NAN) + ["THUMBNAIL"]=> + array(1) { + ["StripOffsets"]=> + float(NAN) + } +} |