php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-23 07:58:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

exif/heic: Fix bound check in loop

Browse Source 
The loop checks against `p` but increases `p2`. I don't see the point of
having 2 separate variables, so use `p` instead to correct the bounds
check and simplify the code in the process.
This commit is contained in:
Niels Dossche
2025-09-07 01:52:35 +02:00
parent 4123b8e108
commit 4e70d41698
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ext/exif/exif.c
+5 -5
View File
@@ -4308,7 +4308,7 @@ static int exif_isobmff_parse_box(unsigned char *buf, isobmff_box_type *box)
static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, isobmff_item_pos_type *pos)
{
isobmff_box_type box, item;
unsigned char *box_offset, *p, *p2;
unsigned char *box_offset, *p;
int header_size, exif_id = -1, version, item_count, i;
size_t remain;
@@ -4367,10 +4367,10 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
ADVANCE(4);
item_count = php_ifd_get32u(p - 4, 1);
}
for (i = 0, p2 = p; i < item_count && p < end - 16; i++, p2 += 16) {
if (php_ifd_get16u(p2, 1) == exif_id) {
pos->offset = php_ifd_get32u(p2 + 8, 1);
pos->size = php_ifd_get32u(p2 + 12, 1);
for (i = 0; i < item_count && p < end - 16; i++, p += 16) {
if (php_ifd_get16u(p, 1) == exif_id) {
pos->offset = php_ifd_get32u(p + 8, 1);
pos->size = php_ifd_get32u(p + 12, 1);
break;
}
}