MFB (bugfix for 28451)
authorAndrei Zmievski <andrei@php.net>
Fri, 21 Jan 2005 23:59:55 +0000 (23:59 +0000)
committerAndrei Zmievski <andrei@php.net>
Fri, 21 Jan 2005 23:59:55 +0000 (23:59 +0000)
NEWS
ext/exif/exif.c

diff --git a/NEWS b/NEWS
index 11089f28255463f2c929fee0d67c1f9a45735d9f..192c2aadc87181e7325f60e11aa1fa1c64a18d10 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, PHP 5.0.4
+- Fixed bug #28451 (corupt EXIF headers have unlimited recursive IFD directory
+  entries). (Andrei)
 - Added Oracle Instant Client support. (cjbj at hotmail dot com, Tony)
 - Added length and charsetnr for field array and object in mysqli. (Georg)
 - Changed phpize not to require automake and libtool. (Jani)
index 034f1fb6357f14dd2f664cf60b954a594564e8e2..ed47a9601ab468dad923a4d9d3aa9563aa532e06 100644 (file)
@@ -93,12 +93,13 @@ typedef unsigned char uchar;
 
 #define EFREE_IF(ptr)  if (ptr) efree(ptr)
 
+#define MAX_IFD_NESTING_LEVEL 5
+
 static
 ZEND_BEGIN_ARG_INFO(exif_thumbnail_force_ref, 1)
        ZEND_ARG_PASS_INFO(0)
 ZEND_END_ARG_INFO();
 
-
 /* {{{ exif_functions[]
  */
 function_entry exif_functions[] = {
@@ -1442,6 +1443,7 @@ typedef struct {
        /* for parsing */
        int             read_thumbnail;
        int             read_all;
+       int             ifd_nesting_level;
        /* internal */
        file_section_list       file;
 } image_info_type;
@@ -2711,6 +2713,13 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
        size_t byte_count, offset_val, fpos, fgot;
        xp_field_type *tmp_xp;
 
+       /* Protect against corrupt headers */
+       if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+               exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached");
+               return FALSE;
+       }
+       ImageInfo->ifd_nesting_level++;
+
        tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
        format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
        components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
@@ -3739,6 +3748,8 @@ static int exif_read_file(image_info_type *ImageInfo, char *FileName, int read_t
                }
        }
 
+       ImageInfo->ifd_nesting_level = 0;
+
        /* Scan the JPEG headers. */
        ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);