-
-
Save anonymous/c660c3f72e69d93874e27f3820a3935b to your computer and use it in GitHub Desktop.
Patch for 72618
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 41131cd41d2fd2e0c2f332a27988df75659c42e4 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Jul 18 23:21:51 2016 -0700 | |
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment | |
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index 760e746..74b652b 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP | |
*pszEncoding = NULL; | |
/* Copy the comment */ | |
if (ByteCount>=8) { | |
+ const zend_encoding *from, *to; | |
if (!memcmp(szValuePtr, "UNICODE\0", 8)) { | |
*pszEncoding = estrdup((const char*)szValuePtr); | |
szValuePtr = szValuePtr+8; | |
@@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP | |
} else { | |
decode = ImageInfo->decode_unicode_le; | |
} | |
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC); | |
+ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC); | |
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ | |
- if (zend_multibyte_encoding_converter( | |
+ if (!to || !from || zend_multibyte_encoding_converter( | |
(unsigned char**)pszInfoPtr, | |
&len, | |
(unsigned char*)szValuePtr, | |
ByteCount, | |
- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), | |
- zend_multibyte_fetch_encoding(decode TSRMLS_CC) | |
+ to, | |
+ from | |
TSRMLS_CC) == (size_t)-1) { | |
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); | |
} | |
@@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP | |
szValuePtr = szValuePtr+8; | |
ByteCount -= 8; | |
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ | |
- if (zend_multibyte_encoding_converter( | |
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC); | |
+ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC); | |
+ if (!to || !from || zend_multibyte_encoding_converter( | |
(unsigned char**)pszInfoPtr, | |
&len, | |
(unsigned char*)szValuePtr, | |
ByteCount, | |
- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), | |
- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) | |
+ to, | |
+ from | |
TSRMLS_CC) == (size_t)-1) { | |
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); | |
} | |
diff --git a/ext/exif/tests/bug72618.jpg b/ext/exif/tests/bug72618.jpg | |
new file mode 100644 | |
index 0000000..0a61ae2 | |
Binary files /dev/null and b/ext/exif/tests/bug72618.jpg differ | |
diff --git a/ext/exif/tests/bug72618.phpt b/ext/exif/tests/bug72618.phpt | |
new file mode 100644 | |
index 0000000..424c0ec | |
--- /dev/null | |
+++ b/ext/exif/tests/bug72618.phpt | |
@@ -0,0 +1,11 @@ | |
+--TEST-- | |
+Bug 72618 (NULL Pointer Dereference in exif_process_user_comment) | |
+--SKIPIF-- | |
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> | |
+--FILE-- | |
+<?php | |
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72618.jpg"))); | |
+?> | |
+--EXPECTF-- | |
+Warning: exif_read_data(bug72618.jpg): IFD data bad offset: 0x058E length 0x0030 in %s/bug72618.php on line %d | |
+int(13) | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment