MFB (bugfix for 24851)

ext/exif/exif.c

@@ -93,12 +93,13 @@ typedef unsigned char uchar;
 
 #define EFREE_IF(ptr)	if (ptr) efree(ptr)
 
+#define MAX_IFD_NESTING_LEVEL 5
+
 static
 ZEND_BEGIN_ARG_INFO(exif_thumbnail_force_ref, 1)
 	ZEND_ARG_PASS_INFO(0)
 ZEND_END_ARG_INFO();
 
-
 /* {{{ exif_functions[]
  */
 function_entry exif_functions[] = {
@@ -1442,6 +1443,7 @@ typedef struct {
 	/* for parsing */
 	int             read_thumbnail;
 	int             read_all;
+	int             ifd_nesting_level;
 	/* internal */
 	file_section_list 	file;
 } image_info_type;
@@ -2711,6 +2713,13 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 	size_t byte_count, offset_val, fpos, fgot;
 	xp_field_type *tmp_xp;
 
+	/* Protect against corrupt headers */
+	if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+		exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached");
+		return FALSE;
+	}
+	ImageInfo->ifd_nesting_level++;
+
 	tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
 	format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
 	components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
@@ -3739,6 +3748,8 @@ static int exif_read_file(image_info_type *ImageInfo, char *FileName, int read_t
 		}
 	}
 
+	ImageInfo->ifd_nesting_level = 0;
+
 	/* Scan the JPEG headers. */
 	ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);