MFH: Fixed bug #33210 (relax jpeg recursive loop protection).

diff --git a/NEWS b/NEWS
index 781d72c42afd8f00395564266bdb967478ebdc65..2f2667a6387e1d657b492f6b763dc36ebeb0270e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
 - Fixed ext/mysqli to allocate less memory when fetching bound params
   of type (MEDIUM|LONG)BLOB/(MEDIUM|LONG)TEXT. (Andrey)
 - Fixed memory corruption in ImageTTFText() with 64bit systems. (Andrey)
+- Fixed bug #33210 (relax jpeg recursive loop protection). (Ilia)
 - Fixed bug #33200 (preg_replace(): magic_quotes_sybase=On makes 'e' modifier
   misbehave). (Jani)
 - Fixed bug #33185 (--enable-session=shared does not build). (Jani)

diff --git a/ext/standard/image.c b/ext/standard/image.c
index 1c9e7b7ecc056dcb5e94a13ece580e98b8f174bc..0b40643d748ff892e5e9e66a2b7127a7cc645f59 100644 (file)
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -401,7 +401,7 @@ static unsigned int php_next_marker(php_stream * stream, int last_marker, int co
                                last_marker = M_PSEUDO; /* stop skipping non 0xff for M_COM */
                        }
                }
-               if (++a > 10)
+               if (++a > 25)
                {
                        /* who knows the maxim amount of 0xff? though 7 */
                        /* but found other implementations              */