111 lines
4.5 KiB
Diff
111 lines
4.5 KiB
Diff
Adapted for 5.4, by Remi Collet, binary patch removed, from:
|
|
|
|
|
|
From 41131cd41d2fd2e0c2f332a27988df75659c42e4 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 18 Jul 2016 23:21:51 -0700
|
|
Subject: [PATCH] Fix bug #72618: NULL Pointer Dereference in
|
|
exif_process_user_comment
|
|
|
|
---
|
|
ext/exif/exif.c | 17 +++++++++++------
|
|
ext/exif/tests/bug72618.jpg | Bin 0 -> 3711 bytes
|
|
ext/exif/tests/bug72618.phpt | 11 +++++++++++
|
|
3 files changed, 22 insertions(+), 6 deletions(-)
|
|
create mode 100644 ext/exif/tests/bug72618.jpg
|
|
create mode 100644 ext/exif/tests/bug72618.phpt
|
|
|
|
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
|
|
index 760e746..74b652b 100644
|
|
--- a/ext/exif/exif.c
|
|
+++ b/ext/exif/exif.c
|
|
@@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
|
|
*pszEncoding = NULL;
|
|
/* Copy the comment */
|
|
if (ByteCount>=8) {
|
|
+ const zend_encoding *from, *to;
|
|
if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
|
|
*pszEncoding = estrdup((const char*)szValuePtr);
|
|
szValuePtr = szValuePtr+8;
|
|
@@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
|
|
} else {
|
|
decode = ImageInfo->decode_unicode_le;
|
|
}
|
|
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
|
|
+ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
|
|
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
|
|
- if (zend_multibyte_encoding_converter(
|
|
+ if (!to || !from || zend_multibyte_encoding_converter(
|
|
(unsigned char**)pszInfoPtr,
|
|
&len,
|
|
(unsigned char*)szValuePtr,
|
|
ByteCount,
|
|
- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
|
|
- zend_multibyte_fetch_encoding(decode TSRMLS_CC)
|
|
+ to,
|
|
+ from
|
|
TSRMLS_CC) == (size_t)-1) {
|
|
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
|
|
}
|
|
@@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
|
|
szValuePtr = szValuePtr+8;
|
|
ByteCount -= 8;
|
|
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
|
|
- if (zend_multibyte_encoding_converter(
|
|
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
|
|
+ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
|
|
+ if (!to || !from || zend_multibyte_encoding_converter(
|
|
(unsigned char**)pszInfoPtr,
|
|
&len,
|
|
(unsigned char*)szValuePtr,
|
|
ByteCount,
|
|
- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
|
|
- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
|
|
+ to,
|
|
+ from
|
|
TSRMLS_CC) == (size_t)-1) {
|
|
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
|
|
}
|
|
|
|
From 1364742be9757e594fd1b203d45805106ecd31c7 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 18 Jul 2016 23:30:51 -0700
|
|
Subject: [PATCH] Fix tests
|
|
|
|
---
|
|
ext/exif/tests/bug54002.phpt | 6 +-----
|
|
ext/exif/tests/bug62523_2.phpt | 6 ++++--
|
|
2 files changed, 5 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt
|
|
index c51fa58..8f85339 100644
|
|
--- a/ext/exif/tests/bug54002.phpt
|
|
+++ b/ext/exif/tests/bug54002.phpt
|
|
@@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg');
|
|
--EXPECTF--
|
|
Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
|
|
|
|
-Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
|
|
-
|
|
-Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
|
|
-
|
|
-Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
|
|
+Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
|
|
\ No newline at end of file
|
|
diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt
|
|
index ddc8ae8..c533d42 100644
|
|
--- a/ext/exif/tests/bug62523_2.phpt
|
|
+++ b/ext/exif/tests/bug62523_2.phpt
|
|
@@ -10,7 +10,9 @@ echo "Test\n";
|
|
var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg")));
|
|
?>
|
|
Done
|
|
---EXPECT--
|
|
+--EXPECTF--
|
|
Test
|
|
-int(76)
|
|
+
|
|
+Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s/bug62523_2.php on line %d
|
|
+int(30)
|
|
Done
|
