From: Pierre Joye <pajoye@php.net>
Date: Thu, 28 May 2009 14:03:09 +0000 (+0000)
Subject: - MFB: #48378, exif_read_data() segfaults on certain corrupted .jpeg files
X-Git-Tag: php-5.2.10RC2~67
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1a836712f0bee4e43e02358aa2ee8a83858331a5;p=php

- MFB: #48378, exif_read_data() segfaults on certain corrupted .jpeg files
---

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index fff51b65aa..a0c7c674ee 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3215,6 +3215,10 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
 		return;
 	}
+	if (offset_of_ifd > length) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start");
+		return;
+	}
 
 	ImageInfo->sections_found |= FOUND_IFD0;
 	/* First directory starts at offset 8. Offsets starts at 0. */
diff --git a/ext/exif/tests/bug48378.jpeg b/ext/exif/tests/bug48378.jpeg
new file mode 100644
index 0000000000..759d805709
Binary files /dev/null and b/ext/exif/tests/bug48378.jpeg differ
diff --git a/ext/exif/tests/bug48378.phpt b/ext/exif/tests/bug48378.phpt
new file mode 100644
index 0000000000..286ce61073
--- /dev/null
+++ b/ext/exif/tests/bug48378.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #48378 (Infinite recursion due to corrupt JPEG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(
+dirname(__FILE__) . "/bug48378.jpeg", 
+"FILE,COMPUTED,ANY_TAG"
+);
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d
+
+