Bugfix #34704 (Infinite recursion due to corrupt JPEG) (Tim Starling)

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 0523a5c3f0edc4d8486df663e4382705990bb693..5ec05420731ed8c8d3384ee50c3e42308e8cee9d 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3031,6 +3031,12 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
                        return FALSE;
                }
        }
+       /*
+        * Ignore IFD2 if it purportedly exists
+        */
+       if (section_index == SECTION_THUMBNAIL) {
+               return FALSE;
+       }
        /*
         * Hack to make it process IDF1 I hope
         * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail

diff --git a/ext/exif/tests/bug34704.jpg b/ext/exif/tests/bug34704.jpg
new file mode 100755 (executable)
index 0000000..42b14c1
Binary files /dev/null and b/ext/exif/tests/bug34704.jpg differ

diff --git a/ext/exif/tests/bug34704.phpt b/ext/exif/tests/bug34704.phpt
new file mode 100755 (executable)
index 0000000..ee51910
--- /dev/null
+++ b/ext/exif/tests/bug34704.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug # 34704 (Infinite recursion due to corrupt JPEG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--INI--
+magic_quotes_runtime=0
+output_handler=
+zlib.output_compression=0 
+--FILE--
+<?php
+
+$infile = dirname(__FILE__).'/bug34704.jpg';
+var_dump(exif_read_data($infile));
+?>
+===DONE===
+--EXPECT--
+array(7) {
+  ["FileName"]=>
+  string(12) "bug34704.jpg"
+  ["FileDateTime"]=>
+  int(1128866682)
+  ["FileSize"]=>
+  int(9976)
+  ["FileType"]=>
+  int(2)
+  ["MimeType"]=>
+  string(10) "image/jpeg"
+  ["SectionsFound"]=>
+  string(4) "IFD0"
+  ["COMPUTED"]=>
+  array(5) {
+    ["html"]=>
+    string(24) "width="386" height="488""
+    ["Height"]=>
+    int(488)
+    ["Width"]=>
+    int(386)
+    ["IsColor"]=>
+    int(1)
+    ["ByteOrderMotorola"]=>
+    int(0)
+  }
+}
+===DONE===
\ No newline at end of file