1 --- PHP_5_3/ext/exif/exif.c 2011/02/14 08:46:53 308315
2 +++ PHP_5_3/ext/exif/exif.c 2011/02/14 09:08:44 308316
5 #include "ext/standard/file.h"
8 +include "win32/php_stdint.h"
13 /* When EXIF_DEBUG is defined the module generates a lot of debug messages
15 int tag, format, components;
16 char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
17 size_t byte_count, offset_val, fpos, fgot;
18 + int64_t byte_count_signed;
19 xp_field_type *tmp_xp;
22 @@ -2845,13 +2850,20 @@
26 - byte_count = components * php_tiff_bytes_per_format[format];
27 + if (components < 0) {
28 + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
32 + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
34 - if ((ssize_t)byte_count < 0) {
35 + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
36 exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
40 + byte_count = (size_t)byte_count_signed;
43 offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
44 /* If its bigger than 4 bytes, the dir entry contains an offset. */
50 if (section_index==SECTION_THUMBNAIL) {
51 if (!ImageInfo->Thumbnail.data) {