Skip to content

Commit 68fd435

Browse files
nikicnikic
committed
Fixed bug #78333
Don't dereference float/double values at unknown address, instead memcpy it into an aligned stack slot and dereference that.
1 parent 30eb4b3 commit 68fd435

File tree

2 files changed

+24
-6
lines changed

2 files changed

+24
-6
lines changed

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ PHP NEWS
66
. Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()).
77
(Abyr Valg)
88

9+
- Exif:
10+
. Fixed bug #78333 (Exif crash (bus error) due to wrong alignment and
11+
invalid cast). (Nikita)
12+
913
- Iconv:
1014
. Fixed bug #78342 (Bus error in configure test for iconv //IGNORE). (Rainer
1115
Jung)

ext/exif/exif.c

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1541,6 +1541,20 @@ static void php_ifd_set32u(char *data, size_t value, int motorola_intel)
15411541
}
15421542
/* }}} */
15431543

1544+
static float php_ifd_get_float(char *data) {
1545+
/* Copy to avoid alignment issues */
1546+
float f;
1547+
memcpy(&f, data, sizeof(float));
1548+
return f;
1549+
}
1550+
1551+
static double php_ifd_get_double(char *data) {
1552+
/* Copy to avoid alignment issues */
1553+
double f;
1554+
memcpy(&f, data, sizeof(double));
1555+
return f;
1556+
}
1557+
15441558
#ifdef EXIF_DEBUG
15451559
char * exif_dump_data(int *dump_free, int format, int components, int length, int motorola_intel, char *value_ptr) /* {{{ */
15461560
{
@@ -1653,12 +1667,12 @@ static double exif_convert_any_format(void *value, int format, int motorola_inte
16531667
#ifdef EXIF_DEBUG
16541668
php_error_docref(NULL, E_NOTICE, "Found value of type single");
16551669
#endif
1656-
return (double)*(float *)value;
1670+
return (double) php_ifd_get_float(value);
16571671
case TAG_FMT_DOUBLE:
16581672
#ifdef EXIF_DEBUG
16591673
php_error_docref(NULL, E_NOTICE, "Found value of type double");
16601674
#endif
1661-
return *(double *)value;
1675+
return php_ifd_get_double(value);
16621676
}
16631677
return 0;
16641678
}
@@ -1716,12 +1730,12 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte
17161730
#ifdef EXIF_DEBUG
17171731
php_error_docref(NULL, E_NOTICE, "Found value of type single");
17181732
#endif
1719-
return (size_t)*(float *)value;
1733+
return (size_t) php_ifd_get_float(value);
17201734
case TAG_FMT_DOUBLE:
17211735
#ifdef EXIF_DEBUG
17221736
php_error_docref(NULL, E_NOTICE, "Found value of type double");
17231737
#endif
1724-
return (size_t)*(double *)value;
1738+
return (size_t) php_ifd_get_double(value);
17251739
}
17261740
return 0;
17271741
}
@@ -2188,13 +2202,13 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
21882202
#ifdef EXIF_DEBUG
21892203
php_error_docref(NULL, E_WARNING, "Found value of type single");
21902204
#endif
2191-
info_value->f = *(float *)value;
2205+
info_value->f = php_ifd_get_float(value);
21922206
break;
21932207
case TAG_FMT_DOUBLE:
21942208
#ifdef EXIF_DEBUG
21952209
php_error_docref(NULL, E_WARNING, "Found value of type double");
21962210
#endif
2197-
info_value->d = *(double *)value;
2211+
info_value->d = php_ifd_get_double(value);
21982212
break;
21992213
}
22002214
}

0 commit comments

Comments
 (0)