diff options
Diffstat (limited to 'ext/exif')
| -rw-r--r-- | ext/exif/exif.c | 12 | ||||
| -rw-r--r-- | ext/exif/tests/bug62523_1.jpg | 9 | ||||
| -rw-r--r-- | ext/exif/tests/bug62523_1.phpt | 18 | ||||
| -rw-r--r-- | ext/exif/tests/bug62523_2.jpg | bin | 0 -> 516533 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug62523_2.phpt | 16 | ||||
| -rw-r--r-- | ext/exif/tests/bug62523_3.jpg | 12 | ||||
| -rw-r--r-- | ext/exif/tests/bug62523_3.phpt | 18 | ||||
| -rw-r--r-- | ext/exif/tests/exif_encoding_crash.jpg | bin | 0 -> 7599 bytes | |||
| -rw-r--r-- | ext/exif/tests/exif_encoding_crash.phpt | 14 |
9 files changed, 94 insertions, 5 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index bd646d9adf..2fe54f7b31 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } else { decode = ImageInfo->decode_unicode_le; } + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, @@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), zend_multibyte_fetch_encoding(decode TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; ByteCount -= 8; + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, @@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - - /* Copy the comment */ + + /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, &xp_field->size, @@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC) - TSRMLS_CC) < 0) { + TSRMLS_CC) == (size_t)-1) { xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount); } return xp_field->size; diff --git a/ext/exif/tests/bug62523_1.jpg b/ext/exif/tests/bug62523_1.jpg new file mode 100644 index 0000000000..9a63d1e84d --- /dev/null +++ b/ext/exif/tests/bug62523_1.jpg @@ -0,0 +1,9 @@ +<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> +<html><head> +<title>301 Moved Permanently</title> +</head><body> +<h1>Moved Permanently</h1> +<p>The document has moved <a href="http://www.getid3.org/temp/62523.jpg">here</a>.</p> +<hr> +<address>Apache Server at getid3.org Port 80</address> +</body></html> diff --git a/ext/exif/tests/bug62523_1.phpt b/ext/exif/tests/bug62523_1.phpt new file mode 100644 index 0000000000..28d42f021d --- /dev/null +++ b/ext/exif/tests/bug62523_1.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 62523 (php crashes with segfault when exif_read_data called) +--SKIPIF-- +<?php +extension_loaded("exif") or die("skip need exif"); +?> +--FILE-- +<?php +echo "Test\n"; +var_dump(count(exif_read_data(__DIR__."/bug62523_1.jpg"))); +?> +Done +--EXPECTF-- +Test + +Warning: exif_read_data(bug62523_1.jpg): File not supported in %sbug62523_1.php on line %d +int(1) +Done diff --git a/ext/exif/tests/bug62523_2.jpg b/ext/exif/tests/bug62523_2.jpg Binary files differnew file mode 100644 index 0000000000..8d7fc6c5f4 --- /dev/null +++ b/ext/exif/tests/bug62523_2.jpg diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt new file mode 100644 index 0000000000..ddc8ae824e --- /dev/null +++ b/ext/exif/tests/bug62523_2.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug 62523 (php crashes with segfault when exif_read_data called) +--SKIPIF-- +<?php +extension_loaded("exif") or die("skip need exif"); +?> +--FILE-- +<?php +echo "Test\n"; +var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg"))); +?> +Done +--EXPECT-- +Test +int(76) +Done diff --git a/ext/exif/tests/bug62523_3.jpg b/ext/exif/tests/bug62523_3.jpg new file mode 100644 index 0000000000..3ee91368ce --- /dev/null +++ b/ext/exif/tests/bug62523_3.jpg @@ -0,0 +1,12 @@ +<html>
+ <head><title>Found</title></head>
+ <body>
+ <h1>Found</h1>
+ <p>The resource was found at <a href="http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg">http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg</a>;
+you should be redirected automatically.
+
+<!-- --></p>
+ <hr noshade>
+ <div align="right">WSGI Server</div>
+ </body>
+</html>
diff --git a/ext/exif/tests/bug62523_3.phpt b/ext/exif/tests/bug62523_3.phpt new file mode 100644 index 0000000000..6e11354c5a --- /dev/null +++ b/ext/exif/tests/bug62523_3.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 62523 (php crashes with segfault when exif_read_data called) +--SKIPIF-- +<?php +extension_loaded("exif") or die("skip need exif"); +?> +--FILE-- +<?php +echo "Test\n"; +var_dump(count(exif_read_data(__DIR__."/bug62523_3.jpg"))); +?> +Done +--EXPECTF-- +Test + +Warning: exif_read_data(bug62523_3.jpg): File not supported in %sbug62523_3.php on line %d +int(1) +Done diff --git a/ext/exif/tests/exif_encoding_crash.jpg b/ext/exif/tests/exif_encoding_crash.jpg Binary files differnew file mode 100644 index 0000000000..55138abe55 --- /dev/null +++ b/ext/exif/tests/exif_encoding_crash.jpg diff --git a/ext/exif/tests/exif_encoding_crash.phpt b/ext/exif/tests/exif_encoding_crash.phpt new file mode 100644 index 0000000000..1c4ad63860 --- /dev/null +++ b/ext/exif/tests/exif_encoding_crash.phpt @@ -0,0 +1,14 @@ +--TEST-- +PHP crash when zend_multibyte_encoding_converter returns (size_t)-1) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +$infile = dirname(__FILE__).'/exif_encoding_crash.jpg'; +$exif_data = exif_read_data($infile); +echo "*** no core dump ***\n"; +?> +===DONE=== +--EXPECT-- +*** no core dump *** +===DONE=== |
