Fixed bug #50660 (exif_read_data(): Illegal IFD offset (works fine with other exif...

author Kalle Sommer Nielsen <kalle@php.net>

Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)

committer Kalle Sommer Nielsen <kalle@php.net>

Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
author Kalle Sommer Nielsen <kalle@php.net>
Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
committer Kalle Sommer Nielsen <kalle@php.net>
Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
diff --git a/NEWS b/NEWS

index a088bd73826dc95da7f0e0553785721c19fb16cd..f5664f5a7214e2ddd8952eff5cc8e094f1d71b6b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,8 @@ PHP                                                                        NEWS
  - EXIF:
    . Fixed bug #74428 (exif_read_data(): "Illegal IFD size" warning occurs with 
      correct exif format). (bradpiccho at gmail dot com, Kalle)
+  . Fixed bug #50660 (exif_read_data(): Illegal IFD offset (works fine with 
+    other exif readers). (skinny dot bravo at gmail dot com, Kalle)
  
  - GD:
    . Fixed bug #74435 (Buffer over-read into uninitialized memory). (cmb)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c

index a75c0ba0f1b209700482d7c72a40c9a0abd4cc63..d4aa26c700ef653184bd2adb1db99032ef7fc819 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2677,7 +2677,7 @@ static void exif_process_SOFn (uchar *Data, int marker, jpeg_sof_info *result)
  /* }}} */
  
  /* forward declarations */
-static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index);
+static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int tag);
  static int exif_process_IFD_TAG(    image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table);
  
  /* {{{ exif_get_markername
@@ -3524,7 +3524,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                                                 exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD Pointer");
                                                 return FALSE;
                                         }
-                                       if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index)) {
+                                       if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) {
                                                 return FALSE;
                                         }
  #ifdef EXIF_DEBUG
@@ -3541,11 +3541,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
  
  /* {{{ exif_process_IFD_in_JPEG
   * Process one of the nested IFDs directories. */
-static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index)
+static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int tag)
  {
         int de;
         int NumDirEntries;
-       int NextDirOffset;
+       int NextDirOffset = 0;
  
  #ifdef EXIF_DEBUG
         exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Process %s (x%04X(=%d))", exif_get_sectionname(section_index), IFDlength, IFDlength);
@@ -3585,7 +3585,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
                 exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
                 return FALSE;
         }
-       NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
+
+       if (tag != TAG_EXIF_IFD_POINTER && tag != TAG_GPS_IFD_POINTER) {
+               NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
+       }
+
         if (NextDirOffset) {
                 /* the next line seems false but here IFDlength means length of all IFDs */
                 if (offset_base + NextDirOffset < offset_base || offset_base + NextDirOffset > offset_base+IFDlength) {
@@ -3596,7 +3600,7 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
  #ifdef EXIF_DEBUG
                 exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Expect next IFD to be thumbnail");
  #endif
-               if (exif_process_IFD_in_JPEG(ImageInfo, offset_base + NextDirOffset, offset_base, IFDlength, displacement, SECTION_THUMBNAIL)) {
+               if (exif_process_IFD_in_JPEG(ImageInfo, offset_base + NextDirOffset, offset_base, IFDlength, displacement, SECTION_THUMBNAIL, 0)) {
  #ifdef EXIF_DEBUG
                         exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Thumbnail size: 0x%04X", ImageInfo->Thumbnail.size);
  #endif
@@ -3651,7 +3655,7 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
  
         ImageInfo->sections_found |= FOUND_IFD0;
         /* First directory starts at offset 8. Offsets starts at 0. */
-       exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd, CharBuf, length/*-14*/, displacement, SECTION_IFD0);
+       exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd, CharBuf, length/*-14*/, displacement, SECTION_IFD0, 0);
  
  #ifdef EXIF_DEBUG
         exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Process TIFF in JPEG done");
diff --git a/ext/exif/tests/bug50660/bug50660-1.jpg b/ext/exif/tests/bug50660/bug50660-1.jpg

new file mode 100644 (file)

index 0000000..9a903c0

Binary files /dev/null and b/ext/exif/tests/bug50660/bug50660-1.jpg differ
diff --git a/ext/exif/tests/bug50660/bug50660-2.jpg b/ext/exif/tests/bug50660/bug50660-2.jpg

new file mode 100644 (file)

index 0000000..9f85473

Binary files /dev/null and b/ext/exif/tests/bug50660/bug50660-2.jpg differ
diff --git a/ext/exif/tests/bug50660/bug50660.phpt b/ext/exif/tests/bug50660/bug50660.phpt

new file mode 100644 (file)

index 0000000..cf0795f
--- /dev/null
+++ b/ext/exif/tests/bug50660/bug50660.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #50660 (exif_read_data(): Illegal IFD offset (works fine with other exif readers))
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--INI--
+output_handler=
+zlib.output_compression=0 
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/bug50660-1.jpg';
+var_dump(exif_read_data($infile) !== false);
+$infile = dirname(__FILE__).'/bug50660-2.jpg';
+var_dump(exif_read_data($infile) !== false);
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+bool(true)
+===DONE===
author	Kalle Sommer Nielsen <kalle@php.net>
	Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
committer	Kalle Sommer Nielsen <kalle@php.net>
	Fri, 7 Jul 2017 09:29:23 +0000 (11:29 +0200)
NEWS		patch \| blob \| history
ext/exif/exif.c		patch \| blob \| history
ext/exif/tests/bug50660/bug50660-1.jpg	[new file with mode: 0644]	patch \| blob
ext/exif/tests/bug50660/bug50660-2.jpg	[new file with mode: 0644]	patch \| blob
ext/exif/tests/bug50660/bug50660.phpt	[new file with mode: 0644]	patch \| blob