ID: 48378 Updated by: j...@php.net Reported By: phpbug dot exif at sub dot noloop dot net Status: Verified Bug Type: EXIF related Operating System: * PHP Version: 5.*, 6CVS (2009-05-27) New Comment:
Verified with proper test script, this function never accepted array parameters: <?php exif_read_data( "http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg";, "FILE,COMPUTED,ANY_TAG" ); Same backtrace (just a bit different line numbers) with all branches. Previous Comments: ------------------------------------------------------------------------ [2009-05-27 19:04:43] j...@php.net Verified with proper test script, this function never accepted arrays as parameters: <?php exif_read_data( "http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg";, "FILE,COMPUTED,ANY_TAG" ); Same backtrace (just a bit different line numbers) with all branches. ------------------------------------------------------------------------ [2009-05-27 19:04:14] j...@php.net Verified with proper test script, this function never accepted arrays as parameters: <?php exif_read_data( "http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg";, "FILE,COMPUTED,ANY_TAG" ); Same backtrace (just a bit different line numbers) with all branches. ------------------------------------------------------------------------ [2009-05-26 05:24:23] scott...@php.net I can confirm here on OSX. #0 0x00033397 in php_ifd_get16u (value=0x7100b1, motorola_intel=0) at /Users/scott/dev/php5_2/ext/exif/exif.c:1088 1088 return (((uchar *)value)[1] << 8) | ((uchar *)value)[0]; (gdb) bt #0 0x00033397 in php_ifd_get16u (value=0x7100b1, motorola_intel=0) at /Users/scott/dev/php5_2/ext/exif/exif.c:1088 #1 0x00037a01 in exif_process_IFD_in_JPEG (ImageInfo=0xbfffef8c, dir_start=0x7100b1 <Address 0x7100b1 out of bounds>, offset_base=0x3100a8 "II*", IFDlength=126, displacement=12, section_index=3) at /Users/scott/dev/php5_2/ext/exif/exif.c:3140 #2 0x00037d92 in exif_process_TIFF_in_JPEG (ImageInfo=0xbfffef8c, CharBuf=0x3100a8 "II*", length=126, displacement=12) at /Users/scott/dev/php5_2/ext/exif/exif.c:3221 #3 0x00037e92 in exif_process_APP1 (ImageInfo=0xbfffef8c, CharBuf=0x3100a0 "", length=134, displacement=4) at /Users/scott/dev/php5_2/ext/exif/exif.c:3246 #4 0x000384d2 in exif_scan_JPEG_header (ImageInfo=0xbfffef8c) at /Users/scott/dev/php5_2/ext/exif/exif.c:3385 #5 0x000393c4 in exif_scan_FILE_header (ImageInfo=0xbfffef8c) at /Users/scott/dev/php5_2/ext/exif/exif.c:3757 #6 0x0003a073 in exif_read_file (ImageInfo=0xbfffef8c, FileName=0x30d2d4 "hello-s148.jpeg", read_thumbnail=0, read_all=0) at /Users/scott/dev/php5_2/ext/exif/exif.c:3902 ------------------------------------------------------------------------ [2009-05-25 20:49:59] phpbug dot exif at sub dot noloop dot net That's odd. I'm getting 100% reproducible crash on both the latest 5.2 cvs snapshot, as well as the php build included in Debian Linux 5.0.1 (stable) (which is 5.2.6+some debian patches) I'm using Linux 2.6.29.4, Debian 5.0.1, gcc version 4.3.2 (Debian 4.3.2-1.1) on an i686 (32bit) machine with 3gb ram. To compile, I did: './configure' '--prefix=/home/frode/temp/z/zinst3' '--disable-all' '--enable-exif' make cli Are you running on 64bit, or perhaps some other distro with a different version of gcc etc? ------------------------------------------------------------------------ [2009-05-25 19:59:23] il...@php.net I am getting the following error messages, but no crash: Warning: exif_read_data(hello-s148.jpeg): Illegal IFD size: x40000B + 2 + x0000*12 = x40000B > x007E in exif.php on line 2 Warning: exif_read_data(hello-s148.jpeg): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in exif.php on line 2 Warning: exif_read_data(hello-s148.jpeg): Invalid JPEG file in exif.php on line 2 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/48378 -- Edit this bug report at http://bugs.php.net/?id=48378&edit=1
![#48378 [Ver]: exif_read_data() segfaults on certain corrupted .jpeg files](/search?l=php-bugs@lists.php.net&q=subject:%22%2348378+%5C%5BVer%5C%5D%5C%3A+exif_read_data%5C%28%5C%29+segfaults+on+certain+corrupted+.jpeg+files%22&o=newest){kind=link}
![http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg"](http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg"){kind=link}
