From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Sat, 24 Nov 2018 11:52:08 +0000 (+0100)
Subject: Fix #77195: Incorrect error handling of imagecreatefromjpeg()
X-Git-Tag: php-7.2.14RC1~46
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=60a9f7a3a3502bfb7118f7fc5c06f9fdf713efad;p=php

Fix #77195: Incorrect error handling of imagecreatefromjpeg()

The broken JPEG image triggers a notice, two warnings and outputs a
message to stderr directly.  The additional notice is pretty useless,
and the direct output to stderr is bad.  Therefore, we port the
relevant differences from upstream to our bundled libgd.  This leaves
us with two warnings; the first one is triggered by libjpeg and shows
the actual problem, the second one is triggered by our libgd wrapper
whenever an image can't be read, what may not have necessarily
triggered a warning before.
---

diff --git a/NEWS b/NEWS
index ff727d5359..cdd38f5e58 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,9 @@ PHP                                                                        NEWS
 - COM:
   . Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb)
 
+- GD:
+  . Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb)
+
 - Sockets:
   . Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
     (Mizunashi Mana)
diff --git a/ext/gd/libgd/gd_jpeg.c b/ext/gd/libgd/gd_jpeg.c
index 23d161631d..473de06f0e 100644
--- a/ext/gd/libgd/gd_jpeg.c
+++ b/ext/gd/libgd/gd_jpeg.c
@@ -67,14 +67,18 @@ static long php_jpeg_emit_message(j_common_ptr jpeg_info, int level)
 		 * unless strace_level >= 3
 		 */
 		if ((jpeg_info->err->num_warnings == 0) || (jpeg_info->err->trace_level >= 3)) {
-			gd_error_ex(ignore_warning ? GD_NOTICE : GD_WARNING, "gd-jpeg, libjpeg: recoverable error: %s\n", message);
+			if (!ignore_warning) {
+				gd_error("gd-jpeg, libjpeg: recoverable error: %s\n", message);
+			}
 		}
 
 		jpeg_info->err->num_warnings++;
 	} else {
 		/* strace msg, Show it if trace_level >= level. */
 		if (jpeg_info->err->trace_level >= level) {
-			gd_error_ex(GD_NOTICE, "gd-jpeg, libjpeg: strace message: %s\n", message);
+			if (!ignore_warning) {
+				gd_error("gd-jpeg, libjpeg: strace message: %s\n", message);
+			}
 		}
 	}
 	return 1;
@@ -86,9 +90,10 @@ static long php_jpeg_emit_message(j_common_ptr jpeg_info, int level)
 static void fatal_jpeg_error (j_common_ptr cinfo)
 {
 	jmpbuf_wrapper *jmpbufw;
+	char buffer[JMSG_LENGTH_MAX];
 
-	gd_error("gd-jpeg: JPEG library reports unrecoverable error: ");
-	(*cinfo->err->output_message) (cinfo);
+	(*cinfo->err->format_message)(cinfo, buffer);
+	gd_error_ex(GD_WARNING, "gd-jpeg: JPEG library reports unrecoverable error: %s", buffer);
 
 	jmpbufw = (jmpbuf_wrapper *) cinfo->client_data;
 	jpeg_destroy (cinfo);
diff --git a/ext/gd/tests/bug77195.jpeg b/ext/gd/tests/bug77195.jpeg
new file mode 100644
index 0000000000..66f92cf946
Binary files /dev/null and b/ext/gd/tests/bug77195.jpeg differ
diff --git a/ext/gd/tests/bug77195.phpt b/ext/gd/tests/bug77195.phpt
new file mode 100644
index 0000000000..944a09fc1a
--- /dev/null
+++ b/ext/gd/tests/bug77195.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #77195 (Incorrect error handling of imagecreatefromjpeg())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (!gd_info()['JPEG Support']) die('skip JPEG support not available');
+?>
+--FILE--
+<?php
+$filename = __DIR__ . '/bug77195.jpeg';
+@imagecreatefromjpeg($filename);
+imagecreatefromjpeg($filename);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromjpeg(): gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image in %s on line %d
+
+Warning: imagecreatefromjpeg(): '/mnt/c/Users/cmb/php-dev/php-src/ext/gd/tests/bug77195.jpeg' is not a valid JPEG file in %s on line %d
+===DONE===