php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch patch_fix_1 for EXIF related Bug #54002Patch version 2011-02-12 21:06 UTC Return to Bug #54002 | Download this patchThis patch is obsolete Obsoleted by patches: Patch Revisions:Developer: pajoye@php.netIndex: ext/exif/exif.c =================================================================== --- ext/exif/exif.c (revision 308125) +++ ext/exif/exif.c (working copy) @@ -2821,6 +2821,7 @@ int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; + ssize_t byte_count_signed; xp_field_type *tmp_xp; #ifdef EXIF_DEBUG char *dump_data; @@ -2845,13 +2846,20 @@ /*return TRUE;*/ } - byte_count = components * php_tiff_bytes_per_format[format]; + if (components < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } - if ((ssize_t)byte_count < 0) { + byte_count_signed = components * php_tiff_bytes_per_format[format]; + + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); return FALSE; } + byte_count = (size_t)byte_count_signed; + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2916,6 +2924,7 @@ efree(dump_data); } #endif + if (section_index==SECTION_THUMBNAIL) { if (!ImageInfo->Thumbnail.data) { switch(tag) { |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Wed Oct 09 10:01:27 2024 UTC |