cleanups

[packages/php.git] / php-5.3.29-CVE-2015-0232.patch

diff -Naur php-5.3.29-original/ext/exif/exif.c php-5.3.29/ext/exif/exif.c
--- php-5.3.29-original/ext/exif/exif.c 2015-01-25 09:16:22.648788988 +0000
+++ php-5.3.29/ext/exif/exif.c  2015-01-25 09:18:41.496792186 +0000
@@ -2722,7 +2722,7 @@
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
        xp_field->tag = tag;    
-
+       xp_field->value = NULL;
        /* Copy the comment */
 #if EXIF_USE_MBSTRING
 /*  What if MS supports big-endian with XP? */
diff -Naur php-5.3.29-original/ext/exif/tests/bug68799.jpg php-5.3.29/ext/exif/tests/bug68799.jpg
--- php-5.3.29-original/ext/exif/tests/bug68799.jpg     1970-01-01 00:00:00.000000000 +0000
+++ php-5.3.29/ext/exif/tests/bug68799.jpg      2015-01-25 09:17:00.859789868 +0000
@@ -0,0 +1,9 @@
+ÿØÿà\0\10JFIF\0\ 1@ABCDEFGÿá\0fExif\0\0MM\0*\0\0\0\b\0\ 4\ 1\1a\0\ 5\0\0\0\ 1\0\0\0>\ 1\e\0\ 5\0\0\0\ 1\0\0\0F\ 1(\0\ 3\0\0\0\ 1\0\ 2\0\0\9c\9d\0\ 2\0\0\0\0\0\0\0N\0\0\0\0\0\0\0`\0\0\0\ 1\0\0\0`\0\0\0\ 1paint.net 4.0.3\0ÿÛ\0C\0\ 2\ 1\ 1\ 2\ 1\ 1\ 2\ 2\ 2\ 2\ 2\ 2\ 2\ 2\ 3\ 5\ 3\ 3\ 3\ 3\ 3\ 6\ 4\ 4\ 3\ 5\a\ 6\a\a\a\ 6\a\a\b   \v       \b\b
+\b\a\a
+\r
+
+\v\f\f\f\f\a \ e\ f\r\f\ e\v\f\f\fÿÛ\0C\ 1\ 2\ 2\ 2\ 3\ 3\ 3\ 6\ 3\ 3\ 6\f\b\a\b\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\f\fÿÀ\0\11\b\0\ 1\0\ 1\ 3\ 1"\0\ 2\11\ 1\ 3\11\ 1ÿÄ\0\1f\0\0\ 1\ 5\ 1\ 1\ 1\ 1\ 1\ 1\0\0\0\0\0\0\0\0\ 1\ 2\ 3\ 4\ 5\ 6\a\b 
+\vÿÄ\0µ\10\0\ 2\ 1\ 3\ 3\ 2\ 4\ 3\ 5\ 5\ 4\ 4\0\0\ 1}\ 1\ 2\ 3\0\ 4\11\ 5\12!1A\ 6\13Qa\a"q\142\81\91¡\b#B±Á\15RÑð$3br\82    
+\16\17\18\19\1a%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\83\84\85\86\87\88\89\8a\92\93\94\95\96\97\98\99\9a¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ\0\1f\ 1\0\ 3\ 1\ 1\ 1\ 1\ 1\ 1\ 1\ 1\ 1\0\0\0\0\0\0\ 1\ 2\ 3\ 4\ 5\ 6\a\b      
+\vÿÄ\0µ\11\0\ 2\ 1\ 2\ 4\ 4\ 3\ 4\a\ 5\ 4\ 4\0\ 1\ 2w\0\ 1\ 2\ 3\11\ 4\ 5!1\ 6\12AQ\aaq\13"2\81\b\14B\91¡±Á      #3Rð\15brÑ
+\16$4á%ñ\17\18\19\1a&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\82\83\84\85\86\87\88\89\8a\92\93\94\95\96\97\98\99\9a¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÚ\0\f\ 3\ 1\0\ 2\11\ 3\11\0?\0ýü¢\8a(\ 3ÿÙ
\ No newline at end of file
diff -Naur php-5.3.29-original/ext/exif/tests/bug68799.phpt php-5.3.29/ext/exif/tests/bug68799.phpt
--- php-5.3.29-original/ext/exif/tests/bug68799.phpt    1970-01-01 00:00:00.000000000 +0000
+++ php-5.3.29/ext/exif/tests/bug68799.phpt     2015-01-25 09:17:00.861789868 +0000
@@ -0,0 +1,63 @@
+--TEST--
+Bug #68799 (Free called on unitialized pointer)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+/*
+* Pollute the heap. Helps trigger bug. Sometimes not needed.
+*/
+class A {
+    function __construct() {
+        $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
+        $this->a = $a . $a . $a . $a . $a . $a;
+    }
+};
+
+function doStuff ($limit) {
+
+    $a = new A;
+
+    $b = array();
+    for ($i = 0; $i < $limit; $i++) {
+        $b[$i] = clone $a;
+    }
+
+    unset($a);
+
+    gc_collect_cycles();
+}
+
+$iterations = 3;
+
+doStuff($iterations);
+doStuff($iterations);
+
+gc_collect_cycles();
+
+print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
+
+?>
+--EXPECTF--
+Array
+(
+    [FileName] => bug68799.jpg
+    [FileDateTime] => %d
+    [FileSize] => 735
+    [FileType] => 2
+    [MimeType] => image/jpeg
+    [SectionsFound] => ANY_TAG, IFD0, WINXP
+    [COMPUTED] => Array
+        (
+            [html] => width="1" height="1"
+            [Height] => 1
+            [Width] => 1
+            [IsColor] => 1
+            [ByteOrderMotorola] => 1
+        )
+
+    [XResolution] => 96/1
+    [YResolution] => 96/1
+    [ResolutionUnit] => 2
+    [Author] => 
+)