php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55420 Multiple TIFF SubIFDs are not handled correctly
Submitted: 2011-08-14 16:38 UTC Modified: 2016-08-14 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kde at timotheegroleau dot com Assigned:
Status: No Feedback Package: EXIF related
PHP Version: 5.3.6 OS: gentoo linux amd64
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-08-14 16:38 UTC] kde at timotheegroleau dot com
Description:
------------
Tiff Tag SubIFD (330) ONLY works is there is a single SubIFD, but the Tiff 
specifications state that SubIFDs is an array of IFDs of size tag_count.

If num_sub_ifd > 1, the tag long value is an offset to a sequence of longs, 
themselves representing the offsets of each SubIFD.

In the source (ext/exif/exif.c) method exif_process_IFD_in_TIFF assumes that the 
tag long value always points to ONE SubIFD (lines 3693 and 3698).


Effects:
1) If there is more than 1 SubIFD, the tiff parser will incorrectly be jumping 
around in the file, potentially printing TONS of warnings
2) exif_thumbnail() does NOT work for Nikon nef files


Test script:
---------------
Download the 2 nef files (nikon nefs are tiff files) below:
http://nefarious.timotheegroleau.com/tests/dsc_2317.nef
http://nefarious.timotheegroleau.com/tests/out.nef

Run the following scripts from a php 5.3.6:

php -r 'var_dump(exif_read_data("dsc_2317.nef"));' 2>&1 |less
php -r 'var_dump(exif_read_data("out.nef"));' 2>&1 |less

Notice the single warning for dsc_2317.nef, as the parser is quickly encountering an invalid entry, but notice also the ~39k warnings spat out for out.nef.


Note: I recommend enabling EXIF_DEBUG for this, to see the offsets printed (note btw that there's a compilation error with EXIF_DEBUG on, which I've commented out for my tests)


Expected result:
----------------
exif data returned, with no warnings when the input tiff file has multiple 
SubIFDs

Actual result:
--------------
exif data is returned, but based on the the input tiff, and where the SubIFD 
offset sends the parser, there can be *A LOT* of warnings being thrown.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-03 03:55 UTC] kalle@php.net
-Status: Open +Status: Feedback
 [2016-08-03 03:55 UTC] kalle@php.net
Hey!

I did a fix for bug #72735, which is committed to git in the master branch (PHP-7.2), could you please test if that fix partially fixed some of this bug?
 [2016-08-14 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Aug 20 21:01:35 2017 UTC