Skip to content

Commit

Permalink
ext_gd: exif_process_IFD_TAG: Use the right offset if reading from st…
Browse files Browse the repository at this point in the history
…ream

Summary:
When the location of the data is outside of the range we have
preloaded (for example, if it's before the beginning of the IFD
structure), we have to read it from the stream into a separate buffer.
The offset calculations in this case were incorrect, resulting in
bogus values being read for the affected fields (sometimes parts of
other fields, sometimes binary data).

The included test image, sourced from [1], is in the public domain.

[1] https://commons.wikimedia.org/wiki/File:U.S._Marines_Prepare_to_board_an_MV-22_Osprey_160509-M-AF202-041.jpg

(This is the same fix as PHP commit c794d53c0377be960a17c3279715436e405b83f4 / php/php-src#1943.)
Closes #7208

Reviewed By: Orvid

Differential Revision: D3518486

fbshipit-source-id: e0560e9455177d873b9494f736fb140810b25633
  • Loading branch information
MatmaRex authored and Hhvm Bot committed Aug 15, 2016

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 5fa4e6f commit 80b29e9
Showing 7 changed files with 140 additions and 3 deletions.
6 changes: 3 additions & 3 deletions hphp/runtime/ext/gd/ext_gd.cpp
Original file line number Diff line number Diff line change
@@ -6553,12 +6553,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry,
}

fpos = ImageInfo->infile->tell();
ImageInfo->infile->seek(offset_val, SEEK_SET);
ImageInfo->infile->seek(displacement+offset_val, SEEK_SET);
fgot = ImageInfo->infile->tell();
if (fgot!=offset_val) {
if (fgot!=displacement+offset_val) {
if (outside) IM_FREE(outside);
raise_warning("Wrong file pointer: 0x%08lX != 0x%08lX",
fgot, offset_val);
fgot, displacement+offset_val);
return 0;
}
String str = ImageInfo->infile->read(byte_count);
1 change: 1 addition & 0 deletions hphp/test/tools/import_zend_test.py
Original file line number Diff line number Diff line change
@@ -700,6 +700,7 @@
'/ext/dom/tests/xinclude.xml',
'/ext/exif/tests/bug34704.jpg',
'/ext/exif/tests/bug48378.jpeg',
'/ext/exif/tests/bug50845.jpg',
'/ext/exif/tests/bug60150.jpg',
'/ext/exif/tests/bug62523_1.jpg',
'/ext/exif/tests/bug62523_2.jpg',
1 change: 1 addition & 0 deletions hphp/test/zend/.gitattributes
Original file line number Diff line number Diff line change
@@ -355,6 +355,7 @@ good/ext/date/tests/bug65371.php binary
good/ext/date/tests/bug65371.php.expectf binary
good/ext/exif/tests/bug34704.jpg binary
good/ext/exif/tests/bug48378.jpeg binary
good/ext/exif/tests/bug50845.jpg binary
good/ext/exif/tests/bug60150.jpg binary
good/ext/exif/tests/bug62523_2.jpg binary
good/ext/exif/tests/exif_encoding_crash.jpg binary
Binary file added hphp/test/zend/good/ext/exif/tests/bug50845.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions hphp/test/zend/good/ext/exif/tests/bug50845.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<?php
$infile = dirname(__FILE__).'/bug50845.jpg';
var_dump(exif_read_data($infile));
131 changes: 131 additions & 0 deletions hphp/test/zend/good/ext/exif/tests/bug50845.php.expectf
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
array(44) {
["FileName"]=>
string(12) "bug50845.jpg"
["FileDateTime"]=>
int(%d)
["FileSize"]=>
int(803603)
["FileType"]=>
int(2)
["MimeType"]=>
string(10) "image/jpeg"
["SectionsFound"]=>
string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
["COMPUTED"]=>
array(9) {
["html"]=>
string(26) "width="5472" height="3648""
["Height"]=>
int(3648)
["Width"]=>
int(5472)
["IsColor"]=>
int(1)
["ByteOrderMotorola"]=>
int(0)
["ApertureFNumber"]=>
string(5) "f/7.1"
["Copyright"]=>
string(13) "Public Domain"
["Thumbnail.FileType"]=>
int(2)
["Thumbnail.MimeType"]=>
string(10) "image/jpeg"
}
["ImageDescription"]=>
string(295) "A U.S. Marine Corps MV-22 Osprey lands on the USS Whidbey Island (LSD-41), May 5, 2016. The vehicles were loaded to support a theater security cooperation event as a part of a MEU readiness exercise. (U.S. Marine Corps photo by Lance Cpl. Koby I. Saunders/22 Marine Expeditionary Unit/ Released)"
["Make"]=>
string(5) "Canon"
["Model"]=>
string(22) "Canon EOS-1D X Mark II"
["Orientation"]=>
int(1)
["XResolution"]=>
string(5) "240/1"
["YResolution"]=>
string(5) "240/1"
["ResolutionUnit"]=>
int(2)
["Artist"]=>
string(24) "Lance Cpl. Koby Saunders"
["Copyright"]=>
string(13) "Public Domain"
["Exif_IFD_Pointer"]=>
int(12572)
["THUMBNAIL"]=>
array(6) {
["Compression"]=>
int(6)
["XResolution"]=>
string(5) "240/1"
["YResolution"]=>
string(5) "240/1"
["ResolutionUnit"]=>
int(2)
["JPEGInterchangeFormat"]=>
int(860)
["JPEGInterchangeFormatLength"]=>
int(11204)
}
["ExposureTime"]=>
string(5) "1/200"
["FNumber"]=>
string(5) "71/10"
["ExposureProgram"]=>
int(1)
["ISOSpeedRatings"]=>
int(100)
["UndefinedTag:0x8830"]=>
int(2)
["UndefinedTag:0x8832"]=>
int(100)
["ExifVersion"]=>
string(4) "0230"
["ShutterSpeedValue"]=>
string(15) "7643856/1000000"
["ApertureValue"]=>
string(15) "5655638/1000000"
["ExposureBiasValue"]=>
string(3) "0/1"
["MaxApertureValue"]=>
string(3) "4/1"
["MeteringMode"]=>
int(5)
["Flash"]=>
int(16)
["FocalLength"]=>
string(4) "24/1"
["ColorSpace"]=>
int(65535)
["FocalPlaneXResolution"]=>
string(12) "5472000/1438"
["FocalPlaneYResolution"]=>
string(11) "3648000/958"
["FocalPlaneResolutionUnit"]=>
int(2)
["CustomRendered"]=>
int(0)
["ExposureMode"]=>
int(1)
["WhiteBalance"]=>
int(0)
["SceneCaptureType"]=>
int(0)
["UndefinedTag:0xA431"]=>
string(12) "002099000358"
["UndefinedTag:0xA432"]=>
array(4) {
[0]=>
string(4) "24/1"
[1]=>
string(5) "105/1"
[2]=>
string(3) "0/0"
[3]=>
string(3) "0/0"
}
["UndefinedTag:0xA434"]=>
string(22) "EF24-105mm f/4L IS USM"
["UndefinedTag:0xA435"]=>
string(10) "000044bc4c"
}
1 change: 1 addition & 0 deletions hphp/test/zend/good/ext/exif/tests/bug50845.php.skipif
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>

0 comments on commit 80b29e9

Please sign in to comment.