|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patch patch_fix_1 for EXIF related Bug #54002Patch version 2011-02-12 21:06 UTC Return to Bug #54002 | Download this patchThis patch is obsolete Obsoleted by patches: Patch Revisions:Developer: pajoye@php.net
Index: ext/exif/exif.c
===================================================================
--- ext/exif/exif.c (revision 308125)
+++ ext/exif/exif.c (working copy)
@@ -2821,6 +2821,7 @@
int tag, format, components;
char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
size_t byte_count, offset_val, fpos, fgot;
+ ssize_t byte_count_signed;
xp_field_type *tmp_xp;
#ifdef EXIF_DEBUG
char *dump_data;
@@ -2845,13 +2846,20 @@
/*return TRUE;*/
}
- byte_count = components * php_tiff_bytes_per_format[format];
+ if (components < 0) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+ return FALSE;
+ }
- if ((ssize_t)byte_count < 0) {
+ byte_count_signed = components * php_tiff_bytes_per_format[format];
+
+ if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
return FALSE;
}
+ byte_count = (size_t)byte_count_signed;
+
if (byte_count > 4) {
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an offset. */
@@ -2916,6 +2924,7 @@
efree(dump_data);
}
#endif
+
if (section_index==SECTION_THUMBNAIL) {
if (!ImageInfo->Thumbnail.data) {
switch(tag) {
|
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Dec 02 03:00:02 2025 UTC |