andrei Fri Jan 21 18:59:55 2005 EDT Modified files: (Branch: PHP_5_0) /php-src NEWS /php-src/ext/exif exif.c Log: MFB (bugfix for 28451) http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1760.2.202&r2=1.1760.2.203&ty=u Index: php-src/NEWS diff -u php-src/NEWS:1.1760.2.202 php-src/NEWS:1.1760.2.203 --- php-src/NEWS:1.1760.2.202 Thu Jan 20 13:42:40 2005 +++ php-src/NEWS Fri Jan 21 18:59:55 2005 @@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2005, PHP 5.0.4 +- Fixed bug #28451 (corupt EXIF headers have unlimited recursive IFD directory + entries). (Andrei) - Added Oracle Instant Client support. (cjbj at hotmail dot com, Tony) - Added length and charsetnr for field array and object in mysqli. (Georg) - Changed phpize not to require automake and libtool. (Jani) http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.162.2.2&r2=1.162.2.3&ty=u Index: php-src/ext/exif/exif.c diff -u php-src/ext/exif/exif.c:1.162.2.2 php-src/ext/exif/exif.c:1.162.2.3 --- php-src/ext/exif/exif.c:1.162.2.2 Tue Nov 9 20:44:28 2004 +++ php-src/ext/exif/exif.c Fri Jan 21 18:59:55 2005 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: exif.c,v 1.162.2.2 2004/11/10 01:44:28 iliaa Exp $ */ +/* $Id: exif.c,v 1.162.2.3 2005/01/21 23:59:55 andrei Exp $ */ /* ToDos * @@ -93,12 +93,13 @@ #define EFREE_IF(ptr) if (ptr) efree(ptr) +#define MAX_IFD_NESTING_LEVEL 5 + static ZEND_BEGIN_ARG_INFO(exif_thumbnail_force_ref, 1) ZEND_ARG_PASS_INFO(0) ZEND_END_ARG_INFO(); - /* {{{ exif_functions[] */ function_entry exif_functions[] = { @@ -111,7 +112,7 @@ }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: exif.c,v 1.162.2.2 2004/11/10 01:44:28 iliaa Exp $" +#define EXIF_VERSION "1.4 $Id: exif.c,v 1.162.2.3 2005/01/21 23:59:55 andrei Exp $" /* {{{ PHP_MINFO_FUNCTION */ @@ -1442,6 +1443,7 @@ /* for parsing */ int read_thumbnail; int read_all; + int ifd_nesting_level; /* internal */ file_section_list file; } image_info_type; @@ -2711,6 +2713,13 @@ size_t byte_count, offset_val, fpos, fgot; xp_field_type *tmp_xp; + /* Protect against corrupt headers */ + if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { + exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached"); + return FALSE; + } + ImageInfo->ifd_nesting_level++; + tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel); format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel); components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel); @@ -3739,6 +3748,8 @@ } } + ImageInfo->ifd_nesting_level = 0; + /* Scan the JPEG headers. */ ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php