Skip to content

Instantly share code, notes, and snippets.

/72618.diff Secret

Created July 19, 2016 06:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/c660c3f72e69d93874e27f3820a3935b to your computer and use it in GitHub Desktop.
Save anonymous/c660c3f72e69d93874e27f3820a3935b to your computer and use it in GitHub Desktop.
Download ZIP
Patch for 72618
Raw
72618.diff
commit 41131cd41d2fd2e0c2f332a27988df75659c42e4
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Jul 18 23:21:51 2016 -0700
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 760e746..74b652b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
*pszEncoding = NULL;
/* Copy the comment */
if (ByteCount>=8) {
+ const zend_encoding *from, *to;
if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
@@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
} else {
decode = ImageInfo->decode_unicode_le;
}
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
+ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
- if (zend_multibyte_encoding_converter(
+ if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
- zend_multibyte_fetch_encoding(decode TSRMLS_CC)
+ to,
+ from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
@@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
- if (zend_multibyte_encoding_converter(
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
+ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
+ if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
+ to,
+ from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
diff --git a/ext/exif/tests/bug72618.jpg b/ext/exif/tests/bug72618.jpg
new file mode 100644
index 0000000..0a61ae2
Binary files /dev/null and b/ext/exif/tests/bug72618.jpg differ
diff --git a/ext/exif/tests/bug72618.phpt b/ext/exif/tests/bug72618.phpt
new file mode 100644
index 0000000..424c0ec
--- /dev/null
+++ b/ext/exif/tests/bug72618.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug 72618 (NULL Pointer Dereference in exif_process_user_comment)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72618.jpg")));
+?>
+--EXPECTF--
+Warning: exif_read_data(bug72618.jpg): IFD data bad offset: 0x058E length 0x0030 in %s/bug72618.php on line %d
+int(13)
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment