|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55420 Multiple TIFF SubIFDs are not handled correctly
Submitted: 2011-08-14 16:38 UTC Modified: 2016-08-14 04:22 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kde at timotheegroleau dot com Assigned:
Status: No Feedback Package: EXIF related
PHP Version: 5.3.6 OS: gentoo linux amd64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-08-14 16:38 UTC] kde at timotheegroleau dot com
Tiff Tag SubIFD (330) ONLY works is there is a single SubIFD, but the Tiff 
specifications state that SubIFDs is an array of IFDs of size tag_count.

If num_sub_ifd > 1, the tag long value is an offset to a sequence of longs, 
themselves representing the offsets of each SubIFD.

In the source (ext/exif/exif.c) method exif_process_IFD_in_TIFF assumes that the 
tag long value always points to ONE SubIFD (lines 3693 and 3698).

1) If there is more than 1 SubIFD, the tiff parser will incorrectly be jumping 
around in the file, potentially printing TONS of warnings
2) exif_thumbnail() does NOT work for Nikon nef files

Test script:
Download the 2 nef files (nikon nefs are tiff files) below:

Run the following scripts from a php 5.3.6:

php -r 'var_dump(exif_read_data("dsc_2317.nef"));' 2>&1 |less
php -r 'var_dump(exif_read_data("out.nef"));' 2>&1 |less

Notice the single warning for dsc_2317.nef, as the parser is quickly encountering an invalid entry, but notice also the ~39k warnings spat out for out.nef.

Note: I recommend enabling EXIF_DEBUG for this, to see the offsets printed (note btw that there's a compilation error with EXIF_DEBUG on, which I've commented out for my tests)

Expected result:
exif data returned, with no warnings when the input tiff file has multiple 

Actual result:
exif data is returned, but based on the the input tiff, and where the SubIFD 
offset sends the parser, there can be *A LOT* of warnings being thrown.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-03 03:55 UTC]
-Status: Open +Status: Feedback
 [2016-08-03 03:55 UTC]

I did a fix for bug #72735, which is committed to git in the master branch (PHP-7.2), could you please test if that fix partially fixed some of this bug?
 [2016-08-14 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jun 24 22:03:33 2022 UTC