Skip to content

Commit e76dea4

Browse files
nikicnikic
committed
Merge branch 'PHP-7.2' into PHP-7.3
2 parents 85e7668 + 0fa1302 commit e76dea4

File tree

4 files changed

+37
-0
lines changed

4 files changed

+37
-0
lines changed

ext/exif/exif.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3229,6 +3229,14 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
32293229
}
32303230
/* }}} */
32313231

3232+
#define REQUIRE_NON_EMPTY() do { \
3233+
if (byte_count == 0) { \
3234+
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Cannot be empty", tag, exif_get_tagname(tag, tagname, -12, tag_table)); \
3235+
return FALSE; \
3236+
} \
3237+
} while (0)
3238+
3239+
32323240
/* {{{ exif_process_IFD_TAG
32333241
* Process one of the nested IFDs directories. */
32343242
static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table)
@@ -3346,8 +3354,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
33463354
}
33473355
#endif
33483356

3357+
/* NB: The following code may not assume that there is at least one component!
3358+
* byte_count may be zero! */
3359+
33493360
if (section_index==SECTION_THUMBNAIL) {
33503361
if (!ImageInfo->Thumbnail.data) {
3362+
REQUIRE_NON_EMPTY();
33513363
switch(tag) {
33523364
case TAG_IMAGEWIDTH:
33533365
case TAG_COMP_IMAGE_WIDTH:
@@ -3430,6 +3442,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
34303442
case TAG_FNUMBER:
34313443
/* Simplest way of expressing aperture, so I trust it the most.
34323444
(overwrite previously computed value if there is one) */
3445+
REQUIRE_NON_EMPTY();
34333446
ImageInfo->ApertureFNumber = (float)exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel);
34343447
break;
34353448

@@ -3438,6 +3451,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
34383451
/* More relevant info always comes earlier, so only use this field if we don't
34393452
have appropriate aperture information yet. */
34403453
if (ImageInfo->ApertureFNumber == 0) {
3454+
REQUIRE_NON_EMPTY();
34413455
ImageInfo->ApertureFNumber
34423456
= (float)exp(exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel)*log(2)*0.5);
34433457
}
@@ -3449,6 +3463,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
34493463
SHUTTERSPEED comes after EXPOSURE TIME
34503464
*/
34513465
if (ImageInfo->ExposureTime == 0) {
3466+
REQUIRE_NON_EMPTY();
34523467
ImageInfo->ExposureTime
34533468
= (float)(1/exp(exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel)*log(2)));
34543469
}
@@ -3458,20 +3473,24 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
34583473
break;
34593474

34603475
case TAG_COMP_IMAGE_WIDTH:
3476+
REQUIRE_NON_EMPTY();
34613477
ImageInfo->ExifImageWidth = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);
34623478
break;
34633479

34643480
case TAG_FOCALPLANE_X_RES:
3481+
REQUIRE_NON_EMPTY();
34653482
ImageInfo->FocalplaneXRes = exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel);
34663483
break;
34673484

34683485
case TAG_SUBJECT_DISTANCE:
34693486
/* Inidcates the distacne the autofocus camera is focused to.
34703487
Tends to be less accurate as distance increases. */
3488+
REQUIRE_NON_EMPTY();
34713489
ImageInfo->Distance = (float)exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel);
34723490
break;
34733491

34743492
case TAG_FOCALPLANE_RESOLUTION_UNIT:
3493+
REQUIRE_NON_EMPTY();
34753494
switch((int)exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel)) {
34763495
case 1: ImageInfo->FocalplaneUnits = 25.4; break; /* inch */
34773496
case 2:
@@ -3514,6 +3533,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
35143533
case TAG_GPS_IFD_POINTER:
35153534
case TAG_INTEROP_IFD_POINTER:
35163535
if (ReadNextIFD) {
3536+
REQUIRE_NON_EMPTY();
35173537
char *Subdir_start;
35183538
int sub_section_index = 0;
35193539
switch(tag) {

ext/exif/tests/bug73737.phpt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,5 +8,7 @@ Bug #73737 (Crash when parsing a tag format)
88
var_dump($exif);
99
?>
1010
--EXPECTF--
11+
Warning: exif_thumbnail(bug73737.tiff): Process tag(x0100=ImageWidth ): Cannot be empty in %s on line %d
12+
1113
Warning: exif_thumbnail(bug73737.tiff): Error in TIFF: filesize(x0030) less than start of IFD dir(x10102) in %s line %d
1214
bool(false)

ext/exif/tests/tag_with_illegal_zero_components.jpeg

43 Bytes
Loading

ext/exif/tests/tag_with_illegal_zero_components.phpt

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
--TEST--
2+
OSS-Fuzz #17163: Out-of-bounds read due to tag with zero components
3+
--FILE--
4+
<?php
5+
6+
var_dump(exif_read_data(__DIR__ . '/tag_with_illegal_zero_components.jpeg'));
7+
8+
?>
9+
--EXPECTF--
10+
Warning: exif_read_data(tag_with_illegal_zero_components.jpeg): Process tag(x0202=JPEGInterch): Cannot be empty in %s on line %d
11+
12+
Warning: exif_read_data(tag_with_illegal_zero_components.jpeg): File structure corrupted in %s on line %d
13+
14+
Warning: exif_read_data(tag_with_illegal_zero_components.jpeg): Invalid JPEG file in %s on line %d
15+
bool(false)

0 commit comments

Comments
 (0)