Merged PR #293 (Exif crash on unknown encoding was fixed)

By:
	Draal
Conflicts:
	configure.in
	main/php_version.h

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index bd646d9adf15a7eb925496d6d50215e2477ca654..2fe54f7b31c3ce957fccc3d47f0ca493c80db145 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                        } else {
                                decode = ImageInfo->decode_unicode_le;
                        }
+                       /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
                        if (zend_multibyte_encoding_converter(
                                        (unsigned char**)pszInfoPtr, 
                                        &len, 
@@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                                        ByteCount,
                                        zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
                                        zend_multibyte_fetch_encoding(decode TSRMLS_CC)
-                                       TSRMLS_CC) < 0) {
+                                       TSRMLS_CC) == (size_t)-1) {
                                len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
                        }
                        return len;
@@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                        *pszEncoding = estrdup((const char*)szValuePtr);
                        szValuePtr = szValuePtr+8;
                        ByteCount -= 8;
+                       /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
                        if (zend_multibyte_encoding_converter(
                                        (unsigned char**)pszInfoPtr, 
                                        &len, 
@@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                                        ByteCount,
                                        zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
                                        zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
-                                       TSRMLS_CC) < 0) {
+                                       TSRMLS_CC) == (size_t)-1) {
                                len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
                        }
                        return len;
@@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
        xp_field->tag = tag;    
-
-       /* Copy the comment */
+       
+       /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
        if (zend_multibyte_encoding_converter(
                        (unsigned char**)&xp_field->value, 
                        &xp_field->size, 
@@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_fi
                        ByteCount,
                        zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
                        zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
-                       TSRMLS_CC) < 0) {
+                       TSRMLS_CC) == (size_t)-1) {
                xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
        }
        return xp_field->size;

diff --git a/ext/exif/tests/exif_encoding_crash.jpg b/ext/exif/tests/exif_encoding_crash.jpg
new file mode 100644 (file)
index 0000000..55138ab
Binary files /dev/null and b/ext/exif/tests/exif_encoding_crash.jpg differ

diff --git a/ext/exif/tests/exif_encoding_crash.phpt b/ext/exif/tests/exif_encoding_crash.phpt
new file mode 100644 (file)
index 0000000..1c4ad63
--- /dev/null
+++ b/ext/exif/tests/exif_encoding_crash.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP crash when zend_multibyte_encoding_converter returns (size_t)-1)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/exif_encoding_crash.jpg';
+$exif_data = exif_read_data($infile);
+echo "*** no core dump ***\n";
+?>
+===DONE===
+--EXPECT--
+*** no core dump ***
+===DONE===