1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
Adapted for 5.4, by Remi Collet, binary patch removed, from:
From 41131cd41d2fd2e0c2f332a27988df75659c42e4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Jul 2016 23:21:51 -0700
Subject: [PATCH] Fix bug #72618: NULL Pointer Dereference in
exif_process_user_comment
---
ext/exif/exif.c | 17 +++++++++++------
ext/exif/tests/bug72618.jpg | Bin 0 -> 3711 bytes
ext/exif/tests/bug72618.phpt | 11 +++++++++++
3 files changed, 22 insertions(+), 6 deletions(-)
create mode 100644 ext/exif/tests/bug72618.jpg
create mode 100644 ext/exif/tests/bug72618.phpt
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 760e746..74b652b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
*pszEncoding = NULL;
/* Copy the comment */
if (ByteCount>=8) {
+ const zend_encoding *from, *to;
if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
@@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
} else {
decode = ImageInfo->decode_unicode_le;
}
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
+ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
- if (zend_multibyte_encoding_converter(
+ if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
- zend_multibyte_fetch_encoding(decode TSRMLS_CC)
+ to,
+ from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
@@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
- if (zend_multibyte_encoding_converter(
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
+ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
+ if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
+ to,
+ from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
From 1364742be9757e594fd1b203d45805106ecd31c7 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Jul 2016 23:30:51 -0700
Subject: [PATCH] Fix tests
---
ext/exif/tests/bug54002.phpt | 6 +-----
ext/exif/tests/bug62523_2.phpt | 6 ++++--
2 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt
index c51fa58..8f85339 100644
--- a/ext/exif/tests/bug54002.phpt
+++ b/ext/exif/tests/bug54002.phpt
@@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg');
--EXPECTF--
Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
-Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
-
-Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
-
-Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
+Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
\ No newline at end of file
diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt
index ddc8ae8..c533d42 100644
--- a/ext/exif/tests/bug62523_2.phpt
+++ b/ext/exif/tests/bug62523_2.phpt
@@ -10,7 +10,9 @@ echo "Test\n";
var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg")));
?>
Done
---EXPECT--
+--EXPECTF--
Test
-int(76)
+
+Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s/bug62523_2.php on line %d
+int(30)
Done
|
