diff options
| author | Christoph M. Becker <cmb@php.net> | 2015-07-23 18:40:54 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmb@php.net> | 2015-07-23 18:40:54 +0200 |
| commit | de3f60d5362629de810d640400aba0d4e37de1f0 (patch) | |
| tree | f85d6cf530bf43b21fccd14ed2913d891b0689f6 | |
| parent | 084a6e43cd78546168133c066c236fc82c110a43 (diff) | |
| parent | 35e717e12ef5be57f4a013208f5b25b617b3de02 (diff) | |
| download | php-git-de3f60d5362629de810d640400aba0d4e37de1f0.tar.gz | |
Merge branch 'PHP-5.6'
* PHP-5.6:
Fix #70052: getimagesize() fails for very large and very small WBMP
Conflicts:
ext/standard/image.c
| -rw-r--r-- | ext/standard/image.c | 25 | ||||
| -rw-r--r-- | ext/standard/tests/image/bug70052.phpt | 21 | ||||
| -rw-r--r-- | ext/standard/tests/image/bug70052_1.wbmp | bin | 0 -> 12 bytes | |||
| -rw-r--r-- | ext/standard/tests/image/bug70052_2.wbmp | bin | 0 -> 7 bytes |
4 files changed, 39 insertions, 7 deletions
diff --git a/ext/standard/image.c b/ext/standard/image.c index edb0d50ea3..378423917e 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -969,6 +969,10 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check) return 0; } width = (width << 7) | (i & 0x7f); + /* maximum valid width for wbmp (although 127 may be a more accurate one) */ + if (width > 2048) { + return 0; + } } while (i & 0x80); /* get height */ @@ -978,10 +982,13 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check) return 0; } height = (height << 7) | (i & 0x7f); + /* maximum valid heigth for wbmp (although 127 may be a more accurate one) */ + if (height > 2048) { + return 0; + } } while (i & 0x80); - /* maximum valid sizes for wbmp (although 127x127 may be a more accurate one) */ - if (!height || !width || height > 2048 || width > 2048) { + if (!height || !width) { return 0; } @@ -1223,6 +1230,7 @@ PHP_FUNCTION(image_type_to_extension) PHPAPI int php_getimagetype(php_stream * stream, char *filetype) { char tmp[12]; + int twelve_bytes_read; if ( !filetype) filetype = tmp; if((php_stream_read(stream, filetype, 3)) != 3) { @@ -1273,12 +1281,11 @@ PHPAPI int php_getimagetype(php_stream * stream, char *filetype) return IMAGE_FILETYPE_ICO; } - if (php_stream_read(stream, filetype+4, 8) != 8) { - php_error_docref(NULL, E_NOTICE, "Read error!"); - return IMAGE_FILETYPE_UNKNOWN; - } + /* WBMP may be smaller than 12 bytes, so delay error */ + twelve_bytes_read = (php_stream_read(stream, filetype+4, 8) == 8); + /* BYTES READ: 12 */ - if (!memcmp(filetype, php_sig_jp2, 12)) { + if (twelve_bytes_read && !memcmp(filetype, php_sig_jp2, 12)) { return IMAGE_FILETYPE_JP2; } @@ -1286,6 +1293,10 @@ PHPAPI int php_getimagetype(php_stream * stream, char *filetype) if (php_get_wbmp(stream, NULL, 1)) { return IMAGE_FILETYPE_WBMP; } + if (!twelve_bytes_read) { + php_error_docref(NULL, E_NOTICE, "Read error!"); + return IMAGE_FILETYPE_UNKNOWN; + } if (php_get_xbm(stream, NULL)) { return IMAGE_FILETYPE_XBM; } diff --git a/ext/standard/tests/image/bug70052.phpt b/ext/standard/tests/image/bug70052.phpt new file mode 100644 index 0000000000..76ebda92b2 --- /dev/null +++ b/ext/standard/tests/image/bug70052.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #70052 (getimagesize() fails for very large and very small WBMP) +--FILE-- +<?php +var_dump(getimagesize(__DIR__ . '/bug70052_1.wbmp')); +var_dump(getimagesize(__DIR__ . '/bug70052_2.wbmp')); +?> +--EXPECT-- +bool(false) +array(5) { + [0]=> + int(3) + [1]=> + int(3) + [2]=> + int(15) + [3]=> + string(20) "width="3" height="3"" + ["mime"]=> + string(18) "image/vnd.wap.wbmp" +} diff --git a/ext/standard/tests/image/bug70052_1.wbmp b/ext/standard/tests/image/bug70052_1.wbmp Binary files differnew file mode 100644 index 0000000000..2c32f379ae --- /dev/null +++ b/ext/standard/tests/image/bug70052_1.wbmp diff --git a/ext/standard/tests/image/bug70052_2.wbmp b/ext/standard/tests/image/bug70052_2.wbmp Binary files differnew file mode 100644 index 0000000000..d0f4313fc1 --- /dev/null +++ b/ext/standard/tests/image/bug70052_2.wbmp |