/* When there are any characters after the first NUL */
ImageInfo->CopyrightPhotographer = estrdup(value_ptr);
ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1);
- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1);
+ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);
/* format = TAG_FMT_UNDEFINED; this musn't be ASCII */
/* but we are not supposed to change this */
/* keep in mind that image_info does not store editor value */
ImageInfo->sections_found |= FOUND_IFD0;
+ if ((dir_start + 2) >= (offset_base+IFDlength)) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
+ return FALSE;
+ }
+
NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) {
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
+ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
+ return FALSE;
+ }
NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
if (NextDirOffset) {
/* the next line seems false but here IFDlength means length of all IFDs */
}
/* Check the next two values for correctness. */
+ if (length < 8) {
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
+ return;
+ }
exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel);
offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel);
- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
+ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
return;
}
--- /dev/null
+--TEST--
+Bug #72094: Out of bounds heap read access in exif header processing
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+print_r(exif_read_data(__DIR__ . '/bug72094_1.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_2.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_3.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_4.jpg'));
+?>
+DONE
+--EXPECTF--
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright ): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): Illegal IFD size in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): Invalid TIFF start (1) in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+DONE
\ No newline at end of file
projects / php / commitdiff
