php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 08:12:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #78333

Browse Source 
Don't dereference float/double values at unknown address, instead
memcpy it into an aligned stack slot and dereference that.
This commit is contained in:
Nikita Popov
2019-07-29 11:23:26 +02:00
parent 8f384bea93
commit d142dfc93d
2 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -6,6 +6,10 @@ PHP NEWS
. Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()).
(Abyr Valg)
- Exif:
. Fixed bug #78333 (Exif crash (bus error) due to wrong alignment and
invalid cast). (Nikita)
- LiteSpeed:
. Updated to LiteSpeed SAPI V7.5 (Fixed clean shutdown). (George Wang)

26
ext/exif/exif.c
View File

@@ -1541,6 +1541,20 @@ static void php_ifd_set32u(char *data, size_t value, int motorola_intel)
}
/* }}} */
static float php_ifd_get_float(char *data) {
/* Copy to avoid alignment issues */
float f;
memcpy(&f, data, sizeof(float));
return f;
}
static double php_ifd_get_double(char *data) {
/* Copy to avoid alignment issues */
double f;
memcpy(&f, data, sizeof(double));
return f;
}
#ifdef EXIF_DEBUG
char * exif_dump_data(int *dump_free, int format, int components, int length, int motorola_intel, char *value_ptr) /* {{{ */
{
@@ -1653,12 +1667,12 @@ static double exif_convert_any_format(void *value, int format, int motorola_inte
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_NOTICE, "Found value of type single");
#endif
return (double)*(float *)value;
return (double) php_ifd_get_float(value);
case TAG_FMT_DOUBLE:
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_NOTICE, "Found value of type double");
#endif
return *(double *)value;
return php_ifd_get_double(value);
}
return 0;
}
@@ -1716,12 +1730,12 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_NOTICE, "Found value of type single");
#endif
return (size_t)*(float *)value;
return (size_t) php_ifd_get_float(value);
case TAG_FMT_DOUBLE:
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_NOTICE, "Found value of type double");
#endif
return (size_t)*(double *)value;
return (size_t) php_ifd_get_double(value);
}
return 0;
}
@@ -2188,13 +2202,13 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_WARNING, "Found value of type single");
#endif
info_value->f = *(float *)value;
info_value->f = php_ifd_get_float(value);
break;
case TAG_FMT_DOUBLE:
#ifdef EXIF_DEBUG
php_error_docref(NULL, E_WARNING, "Found value of type double");
#endif
info_value->d = *(double *)value;
info_value->d = php_ifd_get_double(value);
break;
}
}