MFB: Fixed bug #44388 (Crash inside exif_read_data() on invalid images)

diff --git a/NEWS b/NEWS
index 207534a5395d19a029362364944a9f3f6482de87..924aa482e73b2a2cef4740d13d6c8398181e5d02 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Mar 2008 , PHP 5.2.6
 - Fixed bug #44394 (Last two bytes missing from output). (Felipe)
+- Fixed bug #44388 (Crash inside exif_read_data() on invalid images) (Ilia)
 - Fixed bug #44373 (PDO_OCI extension compile failed). (Felipe)
 
 06 Mar 2008, PHP 5.2.6RC2

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 5aa0ab2e1c42b308b38e13c08ace654139543da2..b2d9811a9453311e7d3f4e847aea8dd2c613e18b 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2877,7 +2877,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                                        /* exception are IFD pointers */
                                        exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal pointer offset(x%04X + x%04X = x%04X > x%04X)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), offset_val, byte_count, offset_val+byte_count, IFDlength);
                                }
-                               return TRUE;
+                               return FALSE;
                        }
                        if (byte_count>sizeof(cbuf)) {
                                /* mark as outside range and get buffer */