From 1740823864fe22f469642c68c5bf389d1a30f43c Mon Sep 17 00:00:00 2001
From: Kalle Sommer Nielsen <kalle@php.net>
Date: Fri, 5 Aug 2016 10:03:14 +0200
Subject: [PATCH] Fixed bug #68547 (Exif Header component value check error)
 (Patch by sjh21a at gmail dot com)

This patch changes processing a little and causes some crafted tags to not be parsed and generate a warning.

This is a slight BC break from earlier versions, since it will no longer return the tags of that it was mismatching (see bug68799.phpt), namely the "WINXP" section and the "Author" tag is no longer returned due to this. Although this BC break is merely only for crafted tags, this can also have some real life effects on pictures re-saved from editors that can cause bad exif data writes, so lets keep it here.
---
 NEWS                         |   2 ++
 ext/exif/exif.c              |   2 +-
 ext/exif/tests/bug68547.jpg  | Bin 0 -> 713 bytes
 ext/exif/tests/bug68547.phpt |  12 ++++++++++++
 ext/exif/tests/bug68799.phpt |   4 ++--
 ext/exif/tests/bug72094.phpt |   4 ++--
 6 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 ext/exif/tests/bug68547.jpg
 create mode 100644 ext/exif/tests/bug68547.phpt

diff --git a/NEWS b/NEWS
index baa991b962..929eb33fc6 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
     Samsung, DJI & Panasonic. (Kalle)
   . Fixed bug #72682 (exif_read_data() fails to read all data for some 
     images). (Kalle)
+  . Fixed bug #68547 (Exif Header component value check error). 
+    (sjh21a at gmail dot com, Kalle)
   . Fixed bug #66443 (Corrupt EXIF header: maximum directory nesting level 
     reached for some cameras). (Kalle)
   . Fixed Redhat bug #1362571 (PHP not returning full results for 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 75ff992cf7..2618d749a3 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3058,7 +3058,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 		/*return TRUE;*/
 	}
 
-	if (components < 0) {
+	if (components <= 0) {
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table), components);
 		return FALSE;
 	}
diff --git a/ext/exif/tests/bug68547.jpg b/ext/exif/tests/bug68547.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..2a328b76a8000b1c7140322d1989a2b916789936
GIT binary patch
literal 713
zcma)1OH30{6g_WVXQ+q`Q>K+f7j!5kaY3OoWo2U8(#E2jesFC+kYEHtTNIakbmaz6
zH=+hm_uywOh{i4WiJzF*s;r@Yw$Izv#^AzuCimTQ?>TpFu6Qdxp}9X2jetoEC+UMI
zq7<GS9s;7#W3U2{ac7aiNvxmZHt`D1Qrsf0QJ$n&Bz~OoRf?O$?UY|oRFJ>~(m01f
zWDp>9p^LhwsJ?`Y7()(O<f&Kd$H_g6HiVEOWrTDPA0swG6Qd}Q_YfL!np~sQ@$IXO
zeU(YGN%9qNo}Bd!;sa*U=5iTsBi7v=3wpiYVCPXnr+&BsU2Ur3cd8YCzf3m_(_`wb
zt-5Bj*|f@I(`qB?|NKBafocT<<4lL7GOjZ55f(79$&LV=)j>Cad=j_FN`v)4<H5R6
z%{BFp*bGTxoazRJb46l)npC;V-eU>G^p@1PZ)$EexFm0_YrFCGoRKb0?}g0y<u%84
z!kyp9C^HMC@=9Ma+u;v8J%!$Z!3VQXUrv1f7P)r!^26(!ufBZ0_vqQ{uRqQVUAS`N
z{^RFwc7Cd~5;9X1I)%$z@q($6i}wWVvDEm~oZjNwU0SuQZx#1~@%D61n>VII?&UQz
r(U-|@Y|kvLBui!4(V;j!{%m-lxA3o(;ys#p^&}N1P<HGj6XM-3gV&wk

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug68547.phpt b/ext/exif/tests/bug68547.phpt
new file mode 100644
index 0000000000..3773ebb34c
--- /dev/null
+++ b/ext/exif/tests/bug68547.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68547 (Exif Header component value check error)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . DIRECTORY_SEPARATOR . 'bug68547.jpg');
+?>
+===DONE===
+--EXPECTF--
+Warning: exif_read_data(bug68547.jpg): Process tag(x9C9E=Keywords   ): Illegal components(0) in %sbug68547.php on line %d
+===DONE===
\ No newline at end of file
diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
index f50a41b402..1f10fcf69e 100644
--- a/ext/exif/tests/bug68799.phpt
+++ b/ext/exif/tests/bug68799.phpt
@@ -39,6 +39,7 @@ print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
 
 ?>
 --EXPECTF--
+Warning: exif_read_data(bug68799.jpg): Process tag(x9C9D=Author     ): Illegal components(0) in %s on line %d
 Array
 (
     [FileName] => bug68799.jpg
@@ -46,7 +47,7 @@ Array
     [FileSize] => 735
     [FileType] => 2
     [MimeType] => image/jpeg
-    [SectionsFound] => ANY_TAG, IFD0, WINXP
+    [SectionsFound] => ANY_TAG, IFD0
     [COMPUTED] => Array
         (
             [html] => width="1" height="1"
@@ -59,5 +60,4 @@ Array
     [XResolution] => 96/1
     [YResolution] => 96/1
     [ResolutionUnit] => 2
-    [Author] => 
 )
diff --git a/ext/exif/tests/bug72094.phpt b/ext/exif/tests/bug72094.phpt
index 611faf9152..ba7d291ffc 100644
--- a/ext/exif/tests/bug72094.phpt
+++ b/ext/exif/tests/bug72094.phpt
@@ -23,7 +23,7 @@ Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal
 
 Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright  ): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
 
-Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s%ebug72094.php on line %d
+Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %sbug72094.php on line %d
 
 Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s%ebug72094.php on line %d
 
@@ -47,7 +47,7 @@ Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal
 
 Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
 
-Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s%ebug72094.php on line %d
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal components(0) in %s%ebug72094.php on line %d
 
 Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s%ebug72094.php on line %d
 
-- 
2.50.1