diff options
Diffstat (limited to 'ext/exif/exif.c')
| -rw-r--r-- | ext/exif/exif.c | 39 |
1 files changed, 24 insertions, 15 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 2cd54eb875..44b9fee0b1 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 7 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2015 The PHP Group | + | Copyright (c) 1997-2016 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -152,14 +152,10 @@ ZEND_BEGIN_MODULE_GLOBALS(exif) ZEND_END_MODULE_GLOBALS(exif) ZEND_DECLARE_MODULE_GLOBALS(exif) +#define EXIF_G(v) ZEND_MODULE_GLOBALS_ACCESSOR(exif, v) -#ifdef ZTS -#define EXIF_G(v) ZEND_TSRMG(exif_globals_id, zend_exif_globals *, v) -#ifdef COMPILE_DL_EXIF -ZEND_TSRMLS_CACHE_DEFINE(); -#endif -#else -#define EXIF_G(v) (exif_globals.v) +#if defined(ZTS) && defined(COMPILE_DL_EXIF) +ZEND_TSRMLS_CACHE_DEFINE() #endif /* {{{ PHP_INI @@ -2949,13 +2945,13 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha if (length<byte_count-1) { /* When there are any characters after the first NUL */ ImageInfo->CopyrightPhotographer = estrdup(value_ptr); - ImageInfo->CopyrightEditor = estrdup(value_ptr+length+1); - spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); + ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); + spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ } else { - ImageInfo->Copyright = estrdup(value_ptr); + ImageInfo->Copyright = estrndup(value_ptr, byte_count); } } break; @@ -3046,10 +3042,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha break; case TAG_MAKE: - ImageInfo->make = estrdup(value_ptr); + ImageInfo->make = estrndup(value_ptr, byte_count); break; case TAG_MODEL: - ImageInfo->model = estrdup(value_ptr); + ImageInfo->model = estrndup(value_ptr, byte_count); break; case TAG_MAKER_NOTE: @@ -3119,6 +3115,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, ImageInfo->sections_found |= FOUND_IFD0; + if ((dir_start + 2) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { @@ -3142,6 +3143,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, * Hack to make it process IDF1 I hope * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail */ + if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); if (NextDirOffset) { /* the next line seems false but here IFDlength means length of all IFDs */ @@ -3191,9 +3196,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, } /* Check the next two values for correctness. */ + if (length < 8) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); - if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } @@ -4078,7 +4087,7 @@ PHP_FUNCTION(exif_read_data) exif_discard_imageinfo(&ImageInfo); #ifdef EXIF_DEBUG - php_error_docref1(NULL, Z_STRVAL_PP(p_name), E_NOTICE, "done"); + php_error_docref1(NULL, p_name, E_NOTICE, "done"); #endif } /* }}} */ |