Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
rebuilds
>
php4
> php-4.3.9-exif.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-4.3.9-exif.patch of Package php4
Fixes for: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154025 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154021 --- php-4.3.9/ext/exif/exif.c.exif +++ php-4.3.9/ext/exif/exif.c @@ -85,6 +85,8 @@ #define EFREE_IF(ptr) if (ptr) efree(ptr) +#define MAX_IFD_NESTING_LEVEL 100 + static unsigned char exif_thumbnail_force_ref[] = {2, BYREF_NONE, BYREF_FORCE_REST}; /* {{{ exif_functions[] @@ -99,7 +101,7 @@ }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: exif.c,v 1.118.2.27 2003/12/17 09:08:37 helly Exp $" +#define EXIF_VERSION "1.4 $Id: exif.c,v 1.118.2.35 2005/03/05 18:30:47 rasmus Exp $" /* {{{ PHP_MINFO_FUNCTION */ @@ -1430,6 +1432,7 @@ /* for parsing */ int read_thumbnail; int read_all; + int ifd_nesting_level; /* internal */ file_section_list file; } image_info_type; @@ -2689,6 +2692,13 @@ size_t byte_count, offset_val, fpos, fgot; xp_field_type *tmp_xp; + /* Protect against corrupt headers */ + if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { + exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached"); + return FALSE; + } + ImageInfo->ifd_nesting_level++; + tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel); format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel); components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel); @@ -2702,6 +2712,11 @@ byte_count = components * php_tiff_bytes_per_format[format]; + if ((ssize_t)byte_count < 0) { + exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2712,7 +2727,7 @@ // JPEG does not use absolute pointers instead its pointers are relative to the start // of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM)) { + if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ @@ -3713,6 +3728,8 @@ } } + ImageInfo->ifd_nesting_level = 0; + /* Scan the JPEG headers. */ ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);
