- MFB: #48378, exif_read_data() segfaults on certain corrupted .jpeg files

17 years ago · 1a836712f0
3 changed files with 23 additions and 0 deletions
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@ -3215,6 +3215,10 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
 		return;
 	}
+	if (offset_of_ifd > length) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start");
+		return;
+	}

 	ImageInfo->sections_found |= FOUND_IFD0;
 	/* First directory starts at offset 8. Offsets starts at 0. */
--- a/ext/exif/tests/bug48378.jpeg
+++ b/ext/exif/tests/bug48378.jpeg
--- a/ext/exif/tests/bug48378.phpt
+++ b/ext/exif/tests/bug48378.phpt
@ -0,0 +1,19 @@
+--TEST--
+Bug #48378 (Infinite recursion due to corrupt JPEG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(
+dirname(__FILE__) . "/bug48378.jpeg", 
+"FILE,COMPUTED,ANY_TAG"
+);
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d
+
+