From 900ce92c9af9ad8616a4a698e5ffd2a957c1f547 Mon Sep 17 00:00:00 2001
From: Kalle Sommer Nielsen <kalle@php.net>
Date: Fri, 7 Jul 2017 10:20:02 +0200
Subject: [PATCH] Fixed bug #74428 (exif_read_data(): "Illegal IFD size"
 warning occurs with correct exif format)

---
 NEWS                                  |   4 +++
 ext/exif/exif.c                       |   4 +--
 ext/exif/tests/bug74428/bug74428.jpg  | Bin 0 -> 1902 bytes
 ext/exif/tests/bug74428/bug74428.phpt |  50 ++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 ext/exif/tests/bug74428/bug74428.jpg
 create mode 100644 ext/exif/tests/bug74428/bug74428.phpt

diff --git a/NEWS b/NEWS
index 8a05976893..a088bd7382 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
     unserialize). (Nikita)
   . Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via
     php_parse_date()). (Derick)
+	
+- EXIF:
+  . Fixed bug #74428 (exif_read_data(): "Illegal IFD size" warning occurs with 
+    correct exif format). (bradpiccho at gmail dot com, Kalle)
 
 - GD:
   . Fixed bug #74435 (Buffer over-read into uninitialized memory). (cmb)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index ab92022340..a75c0ba0f1 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3553,7 +3553,7 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
 
 	ImageInfo->sections_found |= FOUND_IFD0;
 
-	if ((dir_start + 2) >= (offset_base+IFDlength)) {
+	if ((dir_start + 2) > (offset_base+IFDlength)) {
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
 		return FALSE;
 	}
@@ -3581,7 +3581,7 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
 	 * Hack to make it process IDF1 I hope
 	 * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
 	 */
-	if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) {
+	if ((dir_start+2+12*de + 4) > (offset_base+IFDlength)) {
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
 		return FALSE;
 	}
diff --git a/ext/exif/tests/bug74428/bug74428.jpg b/ext/exif/tests/bug74428/bug74428.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..73c7805cec3f2c1d39574c392ab757fc901b1427
GIT binary patch
literal 1902
zcmbW1dr(tX9>>qk&5HoWfPjFOm4|?U7L{UYBx4a$j8vsUkjSQpA`eprX#gvbf`Aa$
zBB-#yE>9u4ibx}d*P=iGx6s)DsX!=5f>J@z1Zs#R<o3oo?M(mb?)RME+~2+Dch3EO
z<~MVYF+>jb`=`c60}vRv1rPxM7+?m$075fE#Gc2#eQri`gD?P7_3M`~^bLNOZ+N=~
z05T2M?h6PE01yO$&(Q&p3E&4X5M-F|1mj?X@K`L2Bj5=HLlBLOjfg}Nkw74sl1RoT
zs0c=D$fhQ147uSD!*;_ibea$eL_@{@CgcI25Wxlz21E7$LxErlgouG1iitzr8VtV^
zgn_X*JZgz#j21MnMeV~d1~rSrV$te!bRA$RII~Tjd+_FmA_?}1>$YbWRudgQZtAiK
z9#T5)ICeVAh-7KC-rB}#v$KoqmYrT7c<=hq$8WEH0R5A|eV-i;31x;I36DB{BKl-Z
zY+TZp+~kzhGhdy{&dEKWm(MS{eC29!$=^%MYHF|5)eElQ_}90>yUq7REv;?cJ>uTJ
z{)hkhZg@oc!=ur$ahY5(^W^F5PtWG&Rf|hMzg916-mDn7AOQc0^&8nAxF{$W2JHcs
zVBmr<DQLhHEN+u0-fYhyLS&-3{q{`ax{nL1o4Sk~b_6Rej-4JNSvu~NJE;t4Z^`}~
zSl0hV_8ZvmTryw+Lum703ZQ{iT@7FN00CLS89g)^0=^|YAe+;*TlEj$vy(b%cs0*$
z*y3me<oD+-yr$Iodllc@eO~QxqiA}Pc;YJaFg<wKq9yv^Ahg2sPlHq+sh2xe@6bMH
zPr#uF$oB40Pg!d`<ZNpVxmUL4W+Ion+OFWxK0W#G+^N|qMlAlDLQ(N$g<E@Lv*qH?
zOQ(EC#xfrAU@!JY1a#365L20#@gV|oA{7JoA<YkIG&$=H)oe!GX(KA>3Ad1js>`m8
z3fH@fZF0UF;H-0TYHe$8F*W<qs|9F%`EOvgc(wF}-ZMkG>@!=d9FP+hHVWqcYBA!_
zrgZ+>wgp~u+D5a<`7c&-FUND^6FE+O*ROTuKOIq|NUE5vCvXjCG_;tOPJG6o9v=3k
zJb$db7`rTM%(vGMj_Po?QV|fLd>%GG+{LYyJqw2em<L9-)}4h?EP9T}=&_LrcCyfy
z))IJO#Z5uZMu4cK7XdQ9R=)MzbQl$quln`1F$<1AdfjNQNeMa7#E=)Pos(^!?5Vx0
zUUpUAs|e-z&MI6v8ItnbPVoW!SCuVjr>^Nf8=;-Z*So~|+A47+I%giB(pBwUZBD|7
zDPFht>gCw_pp6x^$=_S43uO137oJ3!ShAxRow98k22NMm@rKwSV}iH7(^V4{p-ERF
zKykDJNNMujDt30-k@|l5Mc<dBdP>5J$9WkhqT=rO^86=y>EqR=_a^E@cMwqE9L3RJ
zGBYKQCFw~KDl2uBO3<CYFWvm0w8K@EEMb3NKcU;83eB|px?y%$AgwM-piBwp+HS=t
zdyd%<IXMGU^hC;Dw$lUOS2cVW&{(c>MgUfzVN7o$&9zzPTu)0F`ZCCJ*v*u7;ErZ;
zh852;PQB!Ku-7cE+TkK4B;+utLT}N|OEq6p@Ap<V@p{PCsmx%>ZR#e$__MP9tU3+%
ztY9vfQ78LRlP;;5Td)xJRUCC$@@VbT9!fg>mzW&!gqDogc}P0#GzGn7_X?xbL4N%<
zx4xPZZTqKVC8vX7%fOYGh&Owj;zY?ZnaixE*3$AS!~bU3FV0RE6jW>xjdBZTOx;+y
zL#G_2RF9e6C%Z+=N6%iW{F1hoa=%#i6fX`Axjz+eRwS+W+gUEu`D=-~9V)9#>PPa|
z!@51SescC*1e}cXA@iF#<}ACoOF?I6=aW-B*+<iFa~T&ZeNwbR;>7=Ymu_)CH|A1B
z-lo~1wbH%6TH&mmNp<M9;pI9gbLv|oYbL@1-ILoQI)&G}Zp6Lci${QKRMATrA;dUu
zZ=^k?{|c4Y*Qjx(XZqUf2dpYhsk8(H5G%*@7V$J<hv$tmB~}PfeiO5DwXQ)ZxUxjP
zyP(Bgh-NO4$CZw3&w+HvAEffmBVhU;m4ptjUGY4Vd2@O~ieNIfc(lS^`pP5C$DL~%
zvG36YBP%}l!hRvE-PY=ZVuoq^1-Ij=WxJyMB^s6iU*kQ~ZnrijoSkRMu^rU+jx=_J
w+>8r%&K31Z5Fi%rZ*48=|8yK%#OhanV!zn%w3w*&cj!yc;sci&K0wBQ0q~|i=Kufz

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug74428/bug74428.phpt b/ext/exif/tests/bug74428/bug74428.phpt
new file mode 100644
index 0000000000..b2beca3f21
--- /dev/null
+++ b/ext/exif/tests/bug74428/bug74428.phpt
@@ -0,0 +1,50 @@
+--TEST--
+Bug #74428 (exif_read_data(): "Illegal IFD size" warning occurs with correct exif format)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--INI--
+output_handler=
+zlib.output_compression=0 
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/bug74428.jpg';
+var_dump(exif_read_data($infile));
+?>
+===DONE===
+--EXPECTF--
+array(11) {
+  ["FileName"]=>
+  string(12) "bug74428.jpg"
+  ["FileDateTime"]=>
+  int(%d)
+  ["FileSize"]=>
+  int(1902)
+  ["FileType"]=>
+  int(2)
+  ["MimeType"]=>
+  string(10) "image/jpeg"
+  ["SectionsFound"]=>
+  string(19) "ANY_TAG, IFD0, EXIF"
+  ["COMPUTED"]=>
+  array(5) {
+    ["html"]=>
+    string(22) "width="88" height="28""
+    ["Height"]=>
+    int(28)
+    ["Width"]=>
+    int(88)
+    ["IsColor"]=>
+    int(1)
+    ["ByteOrderMotorola"]=>
+    int(0)
+  }
+  ["Orientation"]=>
+  int(1)
+  ["Exif_IFD_Pointer"]=>
+  int(38)
+  ["ExifImageWidth"]=>
+  int(88)
+  ["ExifImageLength"]=>
+  int(28)
+}
+===DONE===
-- 
2.40.0