From: Marcus Boerger <helly@php.net>
Date: Sun, 9 Oct 2005 14:40:01 +0000 (+0000)
Subject: - MFH Bugfix #34704 (Infinite recursion due to corrupt JPEG)
X-Git-Tag: php-5.1.0RC2~63
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bc81f55541aca332c6323264f1c52dc71809d3e9;p=php

- MFH Bugfix #34704 (Infinite recursion due to corrupt JPEG)
---

diff --git a/NEWS b/NEWS
index 49f187a57b..1a6939ebfe 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,7 @@ PHP                                                                        NEWS
 - Fixed bug #34785 (subclassing of mysqli_stmt does not work). (Georg)
 - Fixed bug #34771 (strtotime() fails with 1-12am/pm). (Derick)
 - Fixed bug #34723 (array_count_values() strips leading zeroes). (Tony)
+- Fixed bug #34704 (Infinite recursion due to corrupt JPEG). (Marcus)
 - Fixed bug #34678 (__call(), is_callable() and static methods). (Dmitry)
 - Fixed bug #34676: missing support for strtotime("midnight") and
   strtotime("noon"). (Derick)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 0523a5c3f0..5ec0542073 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3031,6 +3031,12 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
 			return FALSE;
 		}
 	}
+	/*
+	 * Ignore IFD2 if it purportedly exists
+	 */
+	if (section_index == SECTION_THUMBNAIL) {
+		return FALSE;
+	}
 	/*
 	 * Hack to make it process IDF1 I hope
 	 * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
diff --git a/ext/exif/tests/bug34704.jpg b/ext/exif/tests/bug34704.jpg
new file mode 100755
index 0000000000..42b14c1908
Binary files /dev/null and b/ext/exif/tests/bug34704.jpg differ
diff --git a/ext/exif/tests/bug34704.phpt b/ext/exif/tests/bug34704.phpt
new file mode 100755
index 0000000000..ee51910e3f
--- /dev/null
+++ b/ext/exif/tests/bug34704.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug # 34704 (Infinite recursion due to corrupt JPEG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--INI--
+magic_quotes_runtime=0
+output_handler=
+zlib.output_compression=0 
+--FILE--
+<?php
+
+$infile = dirname(__FILE__).'/bug34704.jpg';
+var_dump(exif_read_data($infile));
+?>
+===DONE===
+--EXPECT--
+array(7) {
+  ["FileName"]=>
+  string(12) "bug34704.jpg"
+  ["FileDateTime"]=>
+  int(1128866682)
+  ["FileSize"]=>
+  int(9976)
+  ["FileType"]=>
+  int(2)
+  ["MimeType"]=>
+  string(10) "image/jpeg"
+  ["SectionsFound"]=>
+  string(4) "IFD0"
+  ["COMPUTED"]=>
+  array(5) {
+    ["html"]=>
+    string(24) "width="386" height="488""
+    ["Height"]=>
+    int(488)
+    ["Width"]=>
+    int(386)
+    ["IsColor"]=>
+    int(1)
+    ["ByteOrderMotorola"]=>
+    int(0)
+  }
+}
+===DONE===
\ No newline at end of file