]> granicus.if.org Git - php/commitdiff
Fixed bug #50660 (exif_read_data(): Illegal IFD offset (works fine with other exif...
authorKalle Sommer Nielsen <kalle@php.net>
Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
committerKalle Sommer Nielsen <kalle@php.net>
Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
NEWS
ext/exif/exif.c
ext/exif/tests/bug50660/bug50660-1.jpg [new file with mode: 0644]
ext/exif/tests/bug50660/bug50660-2.jpg [new file with mode: 0644]
ext/exif/tests/bug50660/bug50660.phpt [new file with mode: 0644]

diff --git a/NEWS b/NEWS
index a088bd73826dc95da7f0e0553785721c19fb16cd..f5664f5a7214e2ddd8952eff5cc8e094f1d71b6b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,8 @@ PHP                                                                        NEWS
 - EXIF:
   . Fixed bug #74428 (exif_read_data(): "Illegal IFD size" warning occurs with 
     correct exif format). (bradpiccho at gmail dot com, Kalle)
+  . Fixed bug #50660 (exif_read_data(): Illegal IFD offset (works fine with 
+    other exif readers). (skinny dot bravo at gmail dot com, Kalle)
 
 - GD:
   . Fixed bug #74435 (Buffer over-read into uninitialized memory). (cmb)
index a75c0ba0f1b209700482d7c72a40c9a0abd4cc63..d4aa26c700ef653184bd2adb1db99032ef7fc819 100644 (file)
@@ -2677,7 +2677,7 @@ static void exif_process_SOFn (uchar *Data, int marker, jpeg_sof_info *result)
 /* }}} */
 
 /* forward declarations */
-static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index);
+static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int tag);
 static int exif_process_IFD_TAG(    image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table);
 
 /* {{{ exif_get_markername
@@ -3524,7 +3524,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                                                exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD Pointer");
                                                return FALSE;
                                        }
-                                       if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index)) {
+                                       if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) {
                                                return FALSE;
                                        }
 #ifdef EXIF_DEBUG
@@ -3541,11 +3541,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 
 /* {{{ exif_process_IFD_in_JPEG
  * Process one of the nested IFDs directories. */
-static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index)
+static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int tag)
 {
        int de;
        int NumDirEntries;
-       int NextDirOffset;
+       int NextDirOffset = 0;
 
 #ifdef EXIF_DEBUG
        exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Process %s (x%04X(=%d))", exif_get_sectionname(section_index), IFDlength, IFDlength);
@@ -3585,7 +3585,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
                exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
                return FALSE;
        }
-       NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
+
+       if (tag != TAG_EXIF_IFD_POINTER && tag != TAG_GPS_IFD_POINTER) {
+               NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
+       }
+
        if (NextDirOffset) {
                /* the next line seems false but here IFDlength means length of all IFDs */
                if (offset_base + NextDirOffset < offset_base || offset_base + NextDirOffset > offset_base+IFDlength) {
@@ -3596,7 +3600,7 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
 #ifdef EXIF_DEBUG
                exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Expect next IFD to be thumbnail");
 #endif
-               if (exif_process_IFD_in_JPEG(ImageInfo, offset_base + NextDirOffset, offset_base, IFDlength, displacement, SECTION_THUMBNAIL)) {
+               if (exif_process_IFD_in_JPEG(ImageInfo, offset_base + NextDirOffset, offset_base, IFDlength, displacement, SECTION_THUMBNAIL, 0)) {
 #ifdef EXIF_DEBUG
                        exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Thumbnail size: 0x%04X", ImageInfo->Thumbnail.size);
 #endif
@@ -3651,7 +3655,7 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 
        ImageInfo->sections_found |= FOUND_IFD0;
        /* First directory starts at offset 8. Offsets starts at 0. */
-       exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd, CharBuf, length/*-14*/, displacement, SECTION_IFD0);
+       exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd, CharBuf, length/*-14*/, displacement, SECTION_IFD0, 0);
 
 #ifdef EXIF_DEBUG
        exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Process TIFF in JPEG done");
diff --git a/ext/exif/tests/bug50660/bug50660-1.jpg b/ext/exif/tests/bug50660/bug50660-1.jpg
new file mode 100644 (file)
index 0000000..9a903c0
Binary files /dev/null and b/ext/exif/tests/bug50660/bug50660-1.jpg differ
diff --git a/ext/exif/tests/bug50660/bug50660-2.jpg b/ext/exif/tests/bug50660/bug50660-2.jpg
new file mode 100644 (file)
index 0000000..9f85473
Binary files /dev/null and b/ext/exif/tests/bug50660/bug50660-2.jpg differ
diff --git a/ext/exif/tests/bug50660/bug50660.phpt b/ext/exif/tests/bug50660/bug50660.phpt
new file mode 100644 (file)
index 0000000..cf0795f
--- /dev/null
@@ -0,0 +1,19 @@
+--TEST--
+Bug #50660 (exif_read_data(): Illegal IFD offset (works fine with other exif readers))
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--INI--
+output_handler=
+zlib.output_compression=0 
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/bug50660-1.jpg';
+var_dump(exif_read_data($infile) !== false);
+$infile = dirname(__FILE__).'/bug50660-2.jpg';
+var_dump(exif_read_data($infile) !== false);
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+bool(true)
+===DONE===