Adapted for 5.4, by Remi Collet, binary patch removed, from: From 41131cd41d2fd2e0c2f332a27988df75659c42e4 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 18 Jul 2016 23:21:51 -0700 Subject: [PATCH] Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment --- ext/exif/exif.c | 17 +++++++++++------ ext/exif/tests/bug72618.jpg | Bin 0 -> 3711 bytes ext/exif/tests/bug72618.phpt | 11 +++++++++++ 3 files changed, 22 insertions(+), 6 deletions(-) create mode 100644 ext/exif/tests/bug72618.jpg create mode 100644 ext/exif/tests/bug72618.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 760e746..74b652b 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2623,6 +2623,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = NULL; /* Copy the comment */ if (ByteCount>=8) { + const zend_encoding *from, *to; if (!memcmp(szValuePtr, "UNICODE\0", 8)) { *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; @@ -2643,14 +2644,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } else { decode = ImageInfo->decode_unicode_le; } + to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC); + from = zend_multibyte_fetch_encoding(decode TSRMLS_CC); /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ - if (zend_multibyte_encoding_converter( + if (!to || !from || zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), - zend_multibyte_fetch_encoding(decode TSRMLS_CC) + to, + from TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } @@ -2665,13 +2668,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP szValuePtr = szValuePtr+8; ByteCount -= 8; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ - if (zend_multibyte_encoding_converter( + to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC); + from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC); + if (!to || !from || zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), - zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC) + to, + from TSRMLS_CC) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } From 1364742be9757e594fd1b203d45805106ecd31c7 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 18 Jul 2016 23:30:51 -0700 Subject: [PATCH] Fix tests --- ext/exif/tests/bug54002.phpt | 6 +----- ext/exif/tests/bug62523_2.phpt | 6 ++++-- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt index c51fa58..8f85339 100644 --- a/ext/exif/tests/bug54002.phpt +++ b/ext/exif/tests/bug54002.phpt @@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg'); --EXPECTF-- Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d -Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d - -Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d - -Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d +Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d \ No newline at end of file diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt index ddc8ae8..c533d42 100644 --- a/ext/exif/tests/bug62523_2.phpt +++ b/ext/exif/tests/bug62523_2.phpt @@ -10,7 +10,9 @@ echo "Test\n"; var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg"))); ?> Done ---EXPECT-- +--EXPECTF-- Test -int(76) + +Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s/bug62523_2.php on line %d +int(30) Done