ID: 13213 Updated by: [EMAIL PROTECTED] Reported By: pulstar at mail dot com Status: Closed Bug Type: GetImageSize related Operating System: Linux RedHat 7.1 PHP Version: 4.1.1 Assigned To: helly New Comment:
Also see: Bug #25905 getimagesize fail with some jpegs Previous Comments: ------------------------------------------------------------------------ [2002-03-10 07:15:50] janderk at digitaldutch dot com I'm the main developer of Arles Image Web Page Creator, the application that generated those JPEG's with the illegal comment section. I got an email about this PHP BUG report from a user asking me to repair this Arles bug. FYI: It was a bug in an older versions of Arles and has been repaired in the latest releases. It was actually caused by a bug in the Intel JPEG library we used at that time. I'm glad that we could help making PHP more robust in reading corrupted images ;) ------------------------------------------------------------------------ [2002-03-09 11:04:37] [EMAIL PROTECTED] Took a closer look on the file. The promlem is that both photo1 and photo3 have an illegal comment section. The section is appended by some 0x00 where 0xFF were expected. As other software ignores the NULLs i will add this to CVS / php4.3 version. ------------------------------------------------------------------------ [2002-03-08 11:44:25] [EMAIL PROTECTED] The current CVS implementation has been improoved on that. As you can see from exif's debug warnings. photo1 and photo3 are illegal. An internal section says it is longer than the file :-( I could implement handling that but it would blow up code. I will consider the applied patch... photo1.jpg GetImageSize [ , , , ] exif_read_data exif_read_data returned false Invalid JPEG/TIFF file: 'photo1.jpg' 21 PHP Warning: error reading from file: got=x3648(=13896) != itemlen-2=x4EE1(=20193) photo2.jpg GetImageSize [ 640, 480, 2, width="640" height="480" ] exif_read_data exif_read_data returned false O.K. 22 photo3.jpg GetImageSize [ , , , ] exif_read_data exif_read_data returned false Invalid JPEG/TIFF file: 'photo3.jpg' 23 PHP Warning: error reading from file: got=x1E3D(=7741) != itemlen-2=xF698(=63128) photo4.jpg GetImageSize [ 640, 480, 2, width="640" height="480" ] exif_read_data exif_read_data returned false O.K. ------------------------------------------------------------------------ [2002-01-22 16:34:48] mul at rentapacs dot com Solution: Read additional bytes to resync on the marker sequence. If marker length is too short, nothing is lost. If too long, one marker will be missing. Besides that APPn in $info array will contain consistent entries and no bogus markers. Uhm, ... and if the JPEG format follows the spec and contains correct marker lengths, it will work also ;-) This patch against 4.1.1 might do the trick: --- ext/standard/image.c.orig Sat Aug 11 19:03:37 2001 +++ ext/standard/image.c Tue Jan 22 22:10:42 2002 @@ -253,12 +253,20 @@ /* {{{ php_next_marker */ -static unsigned int php_next_marker(int socketd, FILE *fp, int issock) +static unsigned int php_next_marker(int socketd, FILE *fp, int issock, int isfirst) /* get next marker byte from file */ { int c; - /* get marker byte, swallowing possible padding */ + if (!isfirst) { + /* swallow bytes resulting from short marker length */ + do { + if ((c = FP_FGETC(socketd, fp, issock)) == EOF) + return M_EOI; /* we hit EOF */ + } while (c != 0xff); + } + + /* get marker byte, swallowing possible 0xff padding */ do { if ((c = FP_FGETC(socketd, fp, issock)) == EOF) return M_EOI; /* we hit EOF */ @@ -320,12 +328,14 @@ static struct gfxinfo *php_handle_jpeg (int socketd, FILE *fp, int issock, pval *info) { struct gfxinfo *result = NULL; + int isfirst = 1; /* First marker after JPEG sig 'FF D8 FF' */ unsigned int marker; char tmp[2]; unsigned char a[4]; for (;;) { - marker = php_next_marker(socketd, fp, issock); + marker = php_next_marker(socketd, fp, issock, isfirst); + isfirst = 0; switch (marker) { case M_SOF0: case M_SOF1: ------------------------------------------------------------------------ [2002-01-22 13:15:04] mul at rentapacs dot com Offending images contain COM marker with length parameter two bytes short. This breaks further decoding of JPEG header - GetImageSize() cannot return useful information. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/13213 -- Edit this bug report at http://bugs.php.net/?id=13213&edit=1