#48378, exif_read_data() segfaults on certain corrupted .jpeg files

2026-03-24 16:22:37 +01:00 · 2009-05-28 13:44:43 +00:00
parent df4d44d78c
commit c85b4de5fb
3 changed files with 23 additions and 0 deletions
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3188,6 +3188,10 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
 		return;
 	}
+	if (offset_of_ifd > length) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start");
+		return;
+	}

 	ImageInfo->sections_found |= FOUND_IFD0;
 	/* First directory starts at offset 8. Offsets starts at 0. */
--- a/ext/exif/tests/bug48378.jpeg
+++ b/ext/exif/tests/bug48378.jpeg
--- a/ext/exif/tests/bug48378.phpt
+++ b/ext/exif/tests/bug48378.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #48378 (Infinite recursion due to corrupt JPEG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(
+dirname(__FILE__) . "/bug48378.jpeg", 
+"FILE,COMPUTED,ANY_TAG"
+);
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Invalid IFD start in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in %s48378.php on line %d
+
+Warning: exif_read_data(%s): Invalid JPEG file in %s48378.php on line %d
+
+