From c85b4de5fbabd0096c456bdfdce13532c8b64809 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pajoye@php.net>
Date: Thu, 28 May 2009 13:44:43 +0000
Subject: [PATCH] #48378, exif_read_data() segfaults on certain corrupted .jpeg
 files

---
 ext/exif/exif.c              |   4 ++++
 ext/exif/tests/bug48378.jpeg | Bin 0 -> 2566 bytes
 ext/exif/tests/bug48378.phpt |  19 +++++++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 ext/exif/tests/bug48378.jpeg
 create mode 100644 ext/exif/tests/bug48378.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 085dc9fa66..7aca589530 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3188,6 +3188,10 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
 		return;
 	}
+	if (offset_of_ifd > length) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start");
+		return;
+	}
 
 	ImageInfo->sections_found |= FOUND_IFD0;
 	/* First directory starts at offset 8. Offsets starts at 0. */
diff --git a/ext/exif/tests/bug48378.jpeg b/ext/exif/tests/bug48378.jpeg
new file mode 100644
index 0000000000000000000000000000000000000000..759d8057098948ac0fe579805aecff6997489888
GIT binary patch
literal 2566
zcmex=<Nrg3HrI;GGzJDwPb~&c1_uTv1|vo$1`!4Z1~nkgY-eF$1kzSOoB+f|1_qW^
z2Bua<CJKfYRt9EPie^B0<_QoTK0p;9fT7CJ3}`MR6U3}Kpb91sTL7e%1&BEq{@-Re
z%)rXb!otGL3M5!rS=-ooIM{)JpPQSLN047gNRVGpP*_YxTv$X(R8UYtQ9?>qR$g9S
zSX@a(NlryZPG0W+0S0akW(lSgMn*w~|3?@kK~7@?IUf#K+1QymfKuuLj6gRqGcYnU
zvqB{qnV3~r*#w2y6%B<&M8%bq9UK4OV&DMjw`cek0XG7f;egCxU{FBiGNE!Ycn&Bc
z>%Z@Nc&KEZvH!&9#ph&m_x_PG*}t{x($C!I=PqY<tX&<k^=;<-t=XBs|MA}YcxlUy
zTD$b}?O*@q8CRv5nj05IWHu)yf0lS}_T&CPpGDQ@uiV>t#cbQwol<!(Qm#FGd;0#D
z9j`0q1kRd~=`nLlb<OmXf)RiGkKH>{yLbMjx3=l!^KZQV72Dr&^O@<QbbI;sa@lW&
zE|qU?%lMz#S1mu|KSRNE6xV_|f&Uhi?tORqUX^cgM)up%ciP$Mlkfe_Z#n)>v;E7~
z)gR~YIlpsL{EdF4!sGk==RNviH>=j|!aw~<=MNXn-o0B!>>SUnKV{FwMXuhub??T_
z8^>pv8>X&F-dg;4&3&Gz`lE)XTYSUfU(U~JKb`gQ%HxeG4@--`?$erCoRf6A;<3f6
z=xp7$c44`nZq9l<|IM1)=j#mPkH;^atG@MBkuAUb)R(vJ=-Dl`uC{5{t=(fSZRxw`
zMp44njlQ~;N;}n6pY3_tb$+AQPkZ_34Is~;Boj=p!bRYb3QWClHe42!;Q-_|pbBB<
zfieLQIDkpq1XLMr1t6IQ{L%zv33&=;fCG#{9*xT{3Q*&~g#(n0>LdrKC<cWQg$)==
zfC36|K@9b{+|&Tqf?y~hm_v)jL|F<!#07E;;S2(7!Gsa+Sac&B?tm)KfyxE*5HW|W
z5uBs2DaT?0MM4hvbra)ZkO`=6hnk5HRDg;gQwUjPQKH!tYR9yv0aJ*8NCPzPNYY7?
eVpIp9Yek71k`fCd(V^NvUmn!`WX2@_|C<2yEdUq*

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug48378.phpt b/ext/exif/tests/bug48378.phpt
new file mode 100644
index 0000000000..286ce61073
--- /dev/null
+++ b/ext/exif/tests/bug48378.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #48378 (Infinite recursion due to corrupt JPEG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(
+dirname(__FILE__) . "/bug48378.jpeg", 
+"FILE,COMPUTED,ANY_TAG"
+);
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d
+
+
-- 
2.40.0