andrei Fri Jan 21 18:59:55 2005 EDT
Modified files: (Branch: PHP_5_0)
/php-src NEWS
/php-src/ext/exif exif.c
Log:
MFB (bugfix for 28451)
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1760.2.202&r2=1.1760.2.203&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1760.2.202 php-src/NEWS:1.1760.2.203
--- php-src/NEWS:1.1760.2.202 Thu Jan 20 13:42:40 2005
+++ php-src/NEWS Fri Jan 21 18:59:55 2005
@@ -1,6 +1,8 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2005, PHP 5.0.4
+- Fixed bug #28451 (corupt EXIF headers have unlimited recursive IFD directory
+ entries). (Andrei)
- Added Oracle Instant Client support. (cjbj at hotmail dot com, Tony)
- Added length and charsetnr for field array and object in mysqli. (Georg)
- Changed phpize not to require automake and libtool. (Jani)
http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.162.2.2&r2=1.162.2.3&ty=u
Index: php-src/ext/exif/exif.c
diff -u php-src/ext/exif/exif.c:1.162.2.2 php-src/ext/exif/exif.c:1.162.2.3
--- php-src/ext/exif/exif.c:1.162.2.2 Tue Nov 9 20:44:28 2004
+++ php-src/ext/exif/exif.c Fri Jan 21 18:59:55 2005
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: exif.c,v 1.162.2.2 2004/11/10 01:44:28 iliaa Exp $ */
+/* $Id: exif.c,v 1.162.2.3 2005/01/21 23:59:55 andrei Exp $ */
/* ToDos
*
@@ -93,12 +93,13 @@
#define EFREE_IF(ptr) if (ptr) efree(ptr)
+#define MAX_IFD_NESTING_LEVEL 5
+
static
ZEND_BEGIN_ARG_INFO(exif_thumbnail_force_ref, 1)
ZEND_ARG_PASS_INFO(0)
ZEND_END_ARG_INFO();
-
/* {{{ exif_functions[]
*/
function_entry exif_functions[] = {
@@ -111,7 +112,7 @@
};
/* }}} */
-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.162.2.2 2004/11/10 01:44:28 iliaa
Exp $"
+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.162.2.3 2005/01/21 23:59:55 andrei
Exp $"
/* {{{ PHP_MINFO_FUNCTION
*/
@@ -1442,6 +1443,7 @@
/* for parsing */
int read_thumbnail;
int read_all;
+ int ifd_nesting_level;
/* internal */
file_section_list file;
} image_info_type;
@@ -2711,6 +2713,13 @@
size_t byte_count, offset_val, fpos, fgot;
xp_field_type *tmp_xp;
+ /* Protect against corrupt headers */
+ if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+ exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC,
ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level
reached");
+ return FALSE;
+ }
+ ImageInfo->ifd_nesting_level++;
+
tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
@@ -3739,6 +3748,8 @@
}
}
+ ImageInfo->ifd_nesting_level = 0;
+
/* Scan the JPEG headers. */
ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
