summaryrefslogtreecommitdiffstats
path: root/bug72618.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug72618.patch')
-rw-r--r--bug72618.patch110
1 files changed, 110 insertions, 0 deletions
diff --git a/bug72618.patch b/bug72618.patch
new file mode 100644
index 0000000..04814ab
--- /dev/null
+++ b/bug72618.patch
@@ -0,0 +1,110 @@
+Adapted for 5.4, by Remi Collet, binary patch removed, from:
+
+
+From 41131cd41d2fd2e0c2f332a27988df75659c42e4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 18 Jul 2016 23:21:51 -0700
+Subject: [PATCH] Fix bug #72618: NULL Pointer Dereference in
+ exif_process_user_comment
+
+---
+ ext/exif/exif.c | 17 +++++++++++------
+ ext/exif/tests/bug72618.jpg | Bin 0 -> 3711 bytes
+ ext/exif/tests/bug72618.phpt | 11 +++++++++++
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+ create mode 100644 ext/exif/tests/bug72618.jpg
+ create mode 100644 ext/exif/tests/bug72618.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 760e746..74b652b 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ *pszEncoding = NULL;
+ /* Copy the comment */
+ if (ByteCount>=8) {
++ const zend_encoding *from, *to;
+ if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
+ *pszEncoding = estrdup((const char*)szValuePtr);
+ szValuePtr = szValuePtr+8;
+@@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ } else {
+ decode = ImageInfo->decode_unicode_le;
+ }
++ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
++ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
+ /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
+- if (zend_multibyte_encoding_converter(
++ if (!to || !from || zend_multibyte_encoding_converter(
+ (unsigned char**)pszInfoPtr,
+ &len,
+ (unsigned char*)szValuePtr,
+ ByteCount,
+- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
+- zend_multibyte_fetch_encoding(decode TSRMLS_CC)
++ to,
++ from
+ TSRMLS_CC) == (size_t)-1) {
+ len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
+ }
+@@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ szValuePtr = szValuePtr+8;
+ ByteCount -= 8;
+ /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
+- if (zend_multibyte_encoding_converter(
++ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
++ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
++ if (!to || !from || zend_multibyte_encoding_converter(
+ (unsigned char**)pszInfoPtr,
+ &len,
+ (unsigned char*)szValuePtr,
+ ByteCount,
+- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
+- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
++ to,
++ from
+ TSRMLS_CC) == (size_t)-1) {
+ len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
+ }
+
+From 1364742be9757e594fd1b203d45805106ecd31c7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 18 Jul 2016 23:30:51 -0700
+Subject: [PATCH] Fix tests
+
+---
+ ext/exif/tests/bug54002.phpt | 6 +-----
+ ext/exif/tests/bug62523_2.phpt | 6 ++++--
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt
+index c51fa58..8f85339 100644
+--- a/ext/exif/tests/bug54002.phpt
++++ b/ext/exif/tests/bug54002.phpt
+@@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg');
+ --EXPECTF--
+ Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
+
+-Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
+-
+-Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
+-
+-Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
++Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
+\ No newline at end of file
+diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt
+index ddc8ae8..c533d42 100644
+--- a/ext/exif/tests/bug62523_2.phpt
++++ b/ext/exif/tests/bug62523_2.phpt
+@@ -10,7 +10,9 @@ echo "Test\n";
+ var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg")));
+ ?>
+ Done
+---EXPECT--
++--EXPECTF--
+ Test
+-int(76)
++
++Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s/bug62523_2.php on line %d
++int(30)
+ Done
generated by cgit (git 2.34.1) at 2024-11-16 23:38:51 +0000