summaryrefslogtreecommitdiff
path: root/ext/exif
diff options
context:
space:
mode:
Diffstat (limited to 'ext/exif')
-rw-r--r--ext/exif/exif.c25
-rw-r--r--ext/exif/tests/bug50845.jpgbin0 -> 803603 bytes
-rw-r--r--ext/exif/tests/bug50845.phpt140
-rw-r--r--ext/exif/tests/bug72094.phpt61
-rw-r--r--ext/exif/tests/bug72094_1.jpgbin0 -> 140 bytes
-rw-r--r--ext/exif/tests/bug72094_2.jpgbin0 -> 140 bytes
-rw-r--r--ext/exif/tests/bug72094_3.jpgbin0 -> 112 bytes
-rw-r--r--ext/exif/tests/bug72094_4.jpgbin0 -> 32 bytes
8 files changed, 220 insertions, 6 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 153bfff035..777694538b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -155,7 +155,7 @@ ZEND_DECLARE_MODULE_GLOBALS(exif)
#define EXIF_G(v) ZEND_MODULE_GLOBALS_ACCESSOR(exif, v)
#if defined(ZTS) && defined(COMPILE_DL_EXIF)
-ZEND_TSRMLS_CACHE_DEFINE();
+ZEND_TSRMLS_CACHE_DEFINE()
#endif
/* {{{ PHP_INI
@@ -2869,11 +2869,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
}
fpos = php_stream_tell(ImageInfo->infile);
- php_stream_seek(ImageInfo->infile, offset_val, SEEK_SET);
+ php_stream_seek(ImageInfo->infile, displacement+offset_val, SEEK_SET);
fgot = php_stream_tell(ImageInfo->infile);
- if (fgot!=offset_val) {
+ if (fgot!=displacement+offset_val) {
EFREE_IF(outside);
- exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Wrong file pointer: 0x%08X != 0x%08X", fgot, offset_val);
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Wrong file pointer: 0x%08X != 0x%08X", fgot, displacement+offset_val);
return FALSE;
}
fgot = php_stream_read(ImageInfo->infile, value_ptr, byte_count);
@@ -2946,7 +2946,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
/* When there are any characters after the first NUL */
ImageInfo->CopyrightPhotographer = estrdup(value_ptr);
ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1);
- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1);
+ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);
/* format = TAG_FMT_UNDEFINED; this musn't be ASCII */
/* but we are not supposed to change this */
/* keep in mind that image_info does not store editor value */
@@ -3115,6 +3115,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
ImageInfo->sections_found |= FOUND_IFD0;
+ if ((dir_start + 2) >= (offset_base+IFDlength)) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
+ return FALSE;
+ }
+
NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) {
@@ -3138,6 +3143,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
+ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
+ return FALSE;
+ }
NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
if (NextDirOffset) {
/* the next line seems false but here IFDlength means length of all IFDs */
@@ -3187,9 +3196,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
}
/* Check the next two values for correctness. */
+ if (length < 8) {
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
+ return;
+ }
exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel);
offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel);
- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
+ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
return;
}
diff --git a/ext/exif/tests/bug50845.jpg b/ext/exif/tests/bug50845.jpg
new file mode 100644
index 0000000000..d30137b5e6
--- /dev/null
+++ b/ext/exif/tests/bug50845.jpg
Binary files differ
diff --git a/ext/exif/tests/bug50845.phpt b/ext/exif/tests/bug50845.phpt
new file mode 100644
index 0000000000..2c142236a4
--- /dev/null
+++ b/ext/exif/tests/bug50845.phpt
@@ -0,0 +1,140 @@
+--TEST--
+Bug #50845 (exif_read_data() returns corrupted exif headers)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/bug50845.jpg';
+var_dump(exif_read_data($infile));
+--EXPECTF--
+array(44) {
+ ["FileName"]=>
+ string(12) "bug50845.jpg"
+ ["FileDateTime"]=>
+ int(%d)
+ ["FileSize"]=>
+ int(803603)
+ ["FileType"]=>
+ int(2)
+ ["MimeType"]=>
+ string(10) "image/jpeg"
+ ["SectionsFound"]=>
+ string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
+ ["COMPUTED"]=>
+ array(9) {
+ ["html"]=>
+ string(26) "width="5472" height="3648""
+ ["Height"]=>
+ int(3648)
+ ["Width"]=>
+ int(5472)
+ ["IsColor"]=>
+ int(1)
+ ["ByteOrderMotorola"]=>
+ int(0)
+ ["ApertureFNumber"]=>
+ string(5) "f/7.1"
+ ["Copyright"]=>
+ string(13) "Public Domain"
+ ["Thumbnail.FileType"]=>
+ int(2)
+ ["Thumbnail.MimeType"]=>
+ string(10) "image/jpeg"
+ }
+ ["ImageDescription"]=>
+ string(295) "A U.S. Marine Corps MV-22 Osprey lands on the USS Whidbey Island (LSD-41), May 5, 2016. The vehicles were loaded to support a theater security cooperation event as a part of a MEU readiness exercise. (U.S. Marine Corps photo by Lance Cpl. Koby I. Saunders/22 Marine Expeditionary Unit/ Released)"
+ ["Make"]=>
+ string(5) "Canon"
+ ["Model"]=>
+ string(22) "Canon EOS-1D X Mark II"
+ ["Orientation"]=>
+ int(1)
+ ["XResolution"]=>
+ string(5) "240/1"
+ ["YResolution"]=>
+ string(5) "240/1"
+ ["ResolutionUnit"]=>
+ int(2)
+ ["Artist"]=>
+ string(24) "Lance Cpl. Koby Saunders"
+ ["Copyright"]=>
+ string(13) "Public Domain"
+ ["Exif_IFD_Pointer"]=>
+ int(12572)
+ ["THUMBNAIL"]=>
+ array(6) {
+ ["Compression"]=>
+ int(6)
+ ["XResolution"]=>
+ string(5) "240/1"
+ ["YResolution"]=>
+ string(5) "240/1"
+ ["ResolutionUnit"]=>
+ int(2)
+ ["JPEGInterchangeFormat"]=>
+ int(860)
+ ["JPEGInterchangeFormatLength"]=>
+ int(11204)
+ }
+ ["ExposureTime"]=>
+ string(5) "1/200"
+ ["FNumber"]=>
+ string(5) "71/10"
+ ["ExposureProgram"]=>
+ int(1)
+ ["ISOSpeedRatings"]=>
+ int(100)
+ ["UndefinedTag:0x8830"]=>
+ int(2)
+ ["UndefinedTag:0x8832"]=>
+ int(100)
+ ["ExifVersion"]=>
+ string(4) "0230"
+ ["ShutterSpeedValue"]=>
+ string(15) "7643856/1000000"
+ ["ApertureValue"]=>
+ string(15) "5655638/1000000"
+ ["ExposureBiasValue"]=>
+ string(3) "0/1"
+ ["MaxApertureValue"]=>
+ string(3) "4/1"
+ ["MeteringMode"]=>
+ int(5)
+ ["Flash"]=>
+ int(16)
+ ["FocalLength"]=>
+ string(4) "24/1"
+ ["ColorSpace"]=>
+ int(65535)
+ ["FocalPlaneXResolution"]=>
+ string(12) "5472000/1438"
+ ["FocalPlaneYResolution"]=>
+ string(11) "3648000/958"
+ ["FocalPlaneResolutionUnit"]=>
+ int(2)
+ ["CustomRendered"]=>
+ int(0)
+ ["ExposureMode"]=>
+ int(1)
+ ["WhiteBalance"]=>
+ int(0)
+ ["SceneCaptureType"]=>
+ int(0)
+ ["UndefinedTag:0xA431"]=>
+ string(12) "002099000358"
+ ["UndefinedTag:0xA432"]=>
+ array(4) {
+ [0]=>
+ string(4) "24/1"
+ [1]=>
+ string(5) "105/1"
+ [2]=>
+ string(3) "0/0"
+ [3]=>
+ string(3) "0/0"
+ }
+ ["UndefinedTag:0xA434"]=>
+ string(22) "EF24-105mm f/4L IS USM"
+ ["UndefinedTag:0xA435"]=>
+ string(10) "000044bc4c"
+}
diff --git a/ext/exif/tests/bug72094.phpt b/ext/exif/tests/bug72094.phpt
new file mode 100644
index 0000000000..611faf9152
--- /dev/null
+++ b/ext/exif/tests/bug72094.phpt
@@ -0,0 +1,61 @@
+--TEST--
+Bug #72094: Out of bounds heap read access in exif header processing
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+print_r(exif_read_data(__DIR__ . '/bug72094_1.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_2.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_3.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_4.jpg'));
+?>
+DONE
+--EXPECTF--
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright ): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Invalid JPEG file in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): Illegal IFD size in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): File structure corrupted in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): Invalid JPEG file in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Invalid JPEG file in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): Invalid TIFF start (1) in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): File structure corrupted in %s%ebug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): Invalid JPEG file in %s%ebug72094.php on line %d
+DONE
diff --git a/ext/exif/tests/bug72094_1.jpg b/ext/exif/tests/bug72094_1.jpg
new file mode 100644
index 0000000000..d21382b44b
--- /dev/null
+++ b/ext/exif/tests/bug72094_1.jpg
Binary files differ
diff --git a/ext/exif/tests/bug72094_2.jpg b/ext/exif/tests/bug72094_2.jpg
new file mode 100644
index 0000000000..ec414ce02b
--- /dev/null
+++ b/ext/exif/tests/bug72094_2.jpg
Binary files differ
diff --git a/ext/exif/tests/bug72094_3.jpg b/ext/exif/tests/bug72094_3.jpg
new file mode 100644
index 0000000000..8b05314b67
--- /dev/null
+++ b/ext/exif/tests/bug72094_3.jpg
Binary files differ
diff --git a/ext/exif/tests/bug72094_4.jpg b/ext/exif/tests/bug72094_4.jpg
new file mode 100644
index 0000000000..ca6d453c2c
--- /dev/null
+++ b/ext/exif/tests/bug72094_4.jpg
Binary files differ
View Lorry Controller Status