Commit d258b143 authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 5.6.24+dfsg

parent ff5df72b
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
21 Jul 2016, PHP 5.6.24
- Core:
. Fixed bug #71936 (Segmentation fault destroying HTTP_RAW_POST_DATA).
(mike dot laspina at gmail dot com, Remi)
. Fixed bug #72496 (Cannot declare public method with signature incompatible
with parent private method). (Pedro Magalhães)
. Fixed bug #72138 (Integer Overflow in Length of String-typed ZVAL). (Stas)
. Fixed bug #72513 (Stack-based buffer overflow vulnerability in
virtual_file_ex). (loianhtuan at gmail dot com)
. Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
Deserialization). (taoguangchen at icloud dot com)
. Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
applications). (CVE-2016-5385) (Stas)
- bz2:
. Fixed bug #72447 (Type Confusion in php_bz2_filter_create()). (gogil at
stealien dot com).
. Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
- EXIF:
. Fixed bug #50845 (exif_read_data() returns corrupted exif headers).
(Bartosz Dziewoński)
- EXIF:
. Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
(Stas)
. Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
(Stas)
- GD:
. Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
. Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
. Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
. Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
access). (Pierre)
. Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
. Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
(CVE-2016-6207) (Pierre)
- Intl:
. Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
- ODBC:
. Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
- OpenSSL:
. Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
(Jakub Zelenka)
. Fixed bug #72336 (openssl_pkey_new does not fail for invalid DSA params).
(Jakub Zelenka)
- SNMP:
. Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
unserialize()). (taoguangchen at icloud dot com)
- SPL:
. Fixed bug #55701 (GlobIterator throws LogicException). (Valentin VĂLCIU)
- SQLite3:
. Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
(cmb)
- Streams:
. Fixed bug #72439 (Stream socket with remote address leads to a segmentation
fault). (Laruence)
- Xmlrpc:
. Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
(Stas)
- Zip:
. Fixed bug #72520 (Stack-based buffer overflow vulnerability in
php_stream_zip_opener). (loianhtuan at gmail dot com)
23 Jun 2016, PHP 5.6.23
- Core:
. Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
. Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
json_utf8_to_utf16()). (Stas)
. Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
. Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
- Date:
. Fixed bug #63740 (strtotime seems to use both sunday and monday as start of
week). (Derick)
- GD:
. Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
(cmb)
. Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
. Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
. Fixed bug #72337 (invalid dimensions can lead to crash). (Pierre)
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (Pierre)
heap overflow). (CVE-2016-5766) (Pierre)
. Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
. Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
in heap overflow). (Pierre)
in heap overflow). (CVE-2016-5767) (Pierre)
- Intl:
. Fixed bug #70484 (selectordinal doesn't work with named parameters).
(Anatol)
- mbstring:
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free).
(CVE-2016-5768) (Stas)
- mcrypt:
. Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
. Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
(Stas)
- OpenSSL:
. Fixed bug #72140 (segfault after calling ERR_free_strings()).
(Jakub Zelenka)
- Phar:
. Fixed bug #72321 (invalid free in phar_extract_file()).
(hji at dyntopia dot com)
- SPL:
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread).
(CVE-2016-5770) (Stas)
. Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
unserialize). (Dmitry)
- OpenSSL:
. Fixed bug #72140 (segfault after calling ERR_free_strings()).
(Jakub Zelenka)
unserialize). (CVE-2016-5771) (Dmitry)
- WDDX:
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize).
(CVE-2016-5772) (Stas)
- zip:
. Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
algorithm and unserialize). (Dmitry)
algorithm and unserialize). (CVE-2016-5773) (Dmitry)
26 May 2016, PHP 5.6.22
......@@ -53,15 +138,17 @@ PHP NEWS
. Fixed bug #72172 (zend_hex_strtod should not use strlen).
(bwitz at hotmail dot com )
. Fixed bug #72114 (Integer underflow / arbitrary null write in
fread/gzread). (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)
fread/gzread). (CVE-2016-5096) (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)
(Stas)
- GD:
. Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
. Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456) (Stas)
- Intl
. Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
(CVE-2016-5093) (Stas)
- Postgres:
. Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
......@@ -82,8 +169,6 @@ PHP NEWS
(Michael Sierks)
- Date:
. Fixed bug #63740 (strtotime seems to use both sunday and monday as start of
week). (Derick)
. Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)
- EXIF:
......
--TEST--
Bug #72496 (declare public method with signature incompatible with parent private method should not throw a warning)
--FILE--
<?php
class Foo
{
private function getFoo()
{
return 'Foo';
}
private function getBar()
{
return 'Bar';
}
private function getBaz()
{
return 'Baz';
}
}
class Bar extends Foo
{
public function getFoo($extraArgument)
{
return $extraArgument;
}
protected function getBar($extraArgument)
{
return $extraArgument;
}
private function getBaz($extraArgument)
{
return $extraArgument;
}
}
echo "OK\n";
--EXPECT--
OK
......@@ -3252,8 +3252,8 @@ static zend_bool zend_do_perform_implementation_check(const zend_function *fe, c
return 1;
}
/* If both methods are private do not enforce a signature */
if ((fe->common.fn_flags & ZEND_ACC_PRIVATE) && (proto->common.fn_flags & ZEND_ACC_PRIVATE)) {
/* If the prototype method is private do not enforce a signature */
if (proto->common.fn_flags & ZEND_ACC_PRIVATE) {
return 1;
}
......
......@@ -1190,7 +1190,7 @@ CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func
int add_slash;
void *tmp;
if (path_length == 0 || path_length >= MAXPATHLEN-1) {
if (path_length <= 0 || path_length >= MAXPATHLEN-1) {
#ifdef TSRM_WIN32
# if _MSC_VER < 1300
errno = EINVAL;
......
......@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=23
PHP_RELEASE_VERSION=24
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
......@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=23
PHP_RELEASE_VERSION=24
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
......
......@@ -138,15 +138,19 @@ struct php_bz2_stream_data_t {
static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
{
struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract;
size_t ret;
int bz2_ret;
ret = BZ2_bzread(self->bz_file, buf, count);
bz2_ret = BZ2_bzread(self->bz_file, buf, count);
if (ret == 0) {
if (bz2_ret < 0) {
stream->eof = 1;
return -1;
}
if (bz2_ret == 0) {
stream->eof = 1;
}
return ret;
return (size_t)bz2_ret;
}
static size_t php_bz2iop_write(php_stream *stream, const char *buf, size_t count TSRMLS_DC)
......
......@@ -396,7 +396,7 @@ static php_stream_filter *php_bz2_filter_create(const char *filtername, zval *fi
zval_copy_ctor(&tmp);
convert_to_long(&tmp);
if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > 9) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval));
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL(tmp));
} else {
blockSize100k = Z_LVAL(tmp);
}
......
--TEST--
Bug #72447: Type Confusion in php_bz2_filter_create()
--SKIPIF--
<?php if (!extension_loaded("bz2")) print "skip"; ?>
--FILE--
<?php
$input = "AAAAAAAA";
$param = array('blocks' => $input);
$fp = fopen('testfile', 'w');
stream_filter_append($fp, 'bzip2.compress', STREAM_FILTER_WRITE, $param);
fclose($fp);
?>
--EXPECTF--
Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (0) in %s%ebug72447.php on line %d
--TEST--
Bug #72613 (Inadequate error handling in bzread())
--SKIPIF--
<?php if (!extension_loaded("bz2")) print "skip"; ?>
--FILE--
<?php
$fp = bzopen(__DIR__.'/72613.bz2', 'r');
if ($fp === FALSE) {
exit("ERROR: bzopen()");
}
$data = "";
while (!feof($fp)) {
$res = bzread($fp);
if ($res === FALSE) {
exit("ERROR: bzread()");
}
$data .= $res;
}
bzclose($fp);
?>
DONE
--EXPECT--
DONE
\ No newline at end of file
This diff is collapsed.
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -2059,6 +2059,7 @@ static void date_register_classes(TSRMLS_D)
date_object_handlers_immutable.clone_obj = date_object_clone_date;
date_object_handlers_immutable.compare_objects = date_object_compare_date;
date_object_handlers_immutable.get_properties = date_object_get_properties;
date_object_handlers_immutable.get_gc = date_object_get_gc;
zend_class_implements(date_ce_immutable TSRMLS_CC, 1, date_ce_interface);
INIT_CLASS_ENTRY(ce_timezone, "DateTimeZone", date_funcs_timezone);
......@@ -2225,7 +2226,7 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC)
props = zend_std_get_properties(object TSRMLS_CC);
if (!dateobj->time || GC_G(gc_active)) {
if (!dateobj->time) {
return props;
}
......@@ -4941,7 +4942,7 @@ static HashTable *date_object_get_properties_period(zval *object TSRMLS_DC)
props = zend_std_get_properties(object TSRMLS_CC);
if (!period_obj->start || GC_G(gc_active)) {
if (!period_obj->start) {
return props;
}
......
......@@ -49,9 +49,9 @@ print "TZ=Asia/Baku - wrong day.\n";
date_default_timezone_set("Asia/Baku");
$tStamp = mktime (17, 17, 17, 1, 8299, 1970);
print "tStamp=". date("l Y-m-d H:i:s T I", $tStamp). "\n";
$strtotime_tstamp = strtotime("next Sunday", $tStamp);
$strtotime_tstamp = strtotime("second Monday", $tStamp);
print "result=".date("l Y-m-d H:i:s T I", $strtotime_tstamp)."\n";
print "wanted=Sunday 00:00:00\n\n";
print "wanted=Monday 00:00:00\n\n";
print "TZ=America/Noronha - wrong day.\n";
date_default_timezone_set("America/Noronha");
......@@ -227,8 +227,8 @@ wanted=Thursday 00:00:00
TZ=Asia/Baku - wrong day.
tStamp=Sunday 1992-09-20 17:17:17 AZST 1
result=Sunday 1992-09-27 00:00:00 AZT 0
wanted=Sunday 00:00:00
result=Monday 1992-09-28 00:00:00 AZT 0
wanted=Monday 00:00:00
TZ=America/Noronha - wrong day.
tStamp=Friday 1999-10-01 17:17:17 FNT 0
......
......@@ -2613,6 +2613,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
*pszEncoding = NULL;
/* Copy the comment */
if (ByteCount>=8) {
const zend_encoding *from, *to;
if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
......@@ -2633,14 +2634,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
} else {
decode = ImageInfo->decode_unicode_le;
}
to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
zend_multibyte_fetch_encoding(decode TSRMLS_CC)
to,
from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
......@@ -2655,13 +2658,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
to,
from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
......@@ -2732,6 +2737,12 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
break;
}
if (maker_note->offset >= value_len) {
/* Do not go past the value end */
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
return FALSE;
}
dir_start = value_ptr + maker_note->offset;
#ifdef EXIF_DEBUG
......@@ -2760,10 +2771,19 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
offset_base = value_ptr;
break;
case MN_OFFSET_GUESS:
if (maker_note->offset + 10 + 4 >= value_len) {
/* Can not read dir_start+10 since it's beyond value end */
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X", value_len);
return FALSE;
}
offset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);
#ifdef EXIF_DEBUG
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Using automatic offset correction: 0x%04X", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);
#endif
if (offset_diff < 0 || offset_diff >= value_len ) {
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data bad offset: 0x%04X length 0x%04X", offset_diff, value_len);
return FALSE;
}
offset_base = value_ptr + offset_diff;
break;
default:
......@@ -2772,7 +2792,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
}
if ((2+NumDirEntries*12) > value_len) {
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
return FALSE;
}
......@@ -2878,11 +2898,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
}
fpos = php_stream_tell(ImageInfo->infile);
php_stream_seek(ImageInfo->infile, offset_val, SEEK_SET);
php_stream_seek(ImageInfo->infile, displacement+offset_val, SEEK_SET);
fgot = php_stream_tell(ImageInfo->infile);
if (fgot!=offset_val) {
if (fgot!=displacement+offset_val) {
EFREE_IF(outside);
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Wrong file pointer: 0x%08X != 0x%08X", fgot, offset_val);
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Wrong file pointer: 0x%08X != 0x%08X", fgot, displacement+offset_val);
return FALSE;
}
fgot = php_stream_read(ImageInfo->infile, value_ptr, byte_count);
......@@ -3058,7 +3078,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
break;
case TAG_MAKER_NOTE:
exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC);
if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC)) {
EFREE_IF(outside);
return FALSE;
}
break;
case TAG_EXIF_IFD_POINTER:
......
--TEST--
Bug #50845 (exif_read_data() returns corrupted exif headers)
--SKIPIF--
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
--FILE--
<?php
$infile = dirname(__FILE__).'/bug50845.jpg';
var_dump(exif_read_data($infile));
--EXPECTF--
array(44) {
["FileName"]=>
string(12) "bug50845.jpg"
["FileDateTime"]=>
int(%d)
["FileSize"]=>
int(803603)
["FileType"]=>
int(2)
["MimeType"]=>
string(10) "image/jpeg"
["SectionsFound"]=>
string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
["COMPUTED"]=>
array(9) {
["html"]=>
string(26) "width="5472" height="3648""
["Height"]=>
int(3648)
["Width"]=>
int(5472)
["IsColor"]=>
int(1)
["ByteOrderMotorola"]=>
int(0)
["ApertureFNumber"]=>
string(5) "f/7.1"
["Copyright"]=>
string(13) "Public Domain"
["Thumbnail.FileType"]=>
int(2)
["Thumbnail.MimeType"]=>
string(10) "image/jpeg"
}
["ImageDescription"]=>
string(295) "A U.S. Marine Corps MV-22 Osprey lands on the USS Whidbey Island (LSD-41), May 5, 2016. The vehicles were loaded to support a theater security cooperation event as a part of a MEU readiness exercise. (U.S. Marine Corps photo by Lance Cpl. Koby I. Saunders/22 Marine Expeditionary Unit/ Released)"
["Make"]=>
string(5) "Canon"
["Model"]=>
string(22) "Canon EOS-1D X Mark II"
["Orientation"]=>
int(1)
["XResolution"]=>
string(5) "240/1"
["YResolution"]=>
string(5) "240/1"
["ResolutionUnit"]=>
int(2)
["Artist"]=>
string(24) "Lance Cpl. Koby Saunders"
["Copyright"]=>
string(13) "Public Domain"
["Exif_IFD_Pointer"]=>
int(12572)
["THUMBNAIL"]=>
array(6) {
["Compression"]=>
int(6)
["XResolution"]=>
string(5) "240/1"
["YResolution"]=>
string(5) "240/1"
["ResolutionUnit"]=>
int(2)
["JPEGInterchangeFormat"]=>
int(860)
["JPEGInterchangeFormatLength"]=>
int(11204)
}
["ExposureTime"]=>
string(5) "1/200"
["FNumber"]=>
string(5) "71/10"
["ExposureProgram"]=>
int(1)
["ISOSpeedRatings"]=>
int(100)
["UndefinedTag:0x8830"]=>
int(2)
["UndefinedTag:0x8832"]=>
int(100)
["ExifVersion"]=>
string(4) "0230"
["ShutterSpeedValue"]=>
string(15) "7643856/1000000"
["ApertureValue"]=>
string(15) "5655638/1000000"
["ExposureBiasValue"]=>
string(3) "0/1"
["MaxApertureValue"]=>
string(3) "4/1"
["MeteringMode"]=>
int(5)
["Flash"]=>
int(16)
["FocalLength"]=>
string(4) "24/1"
["ColorSpace"]=>
int(65535)
["FocalPlaneXResolution"]=>
string(12) "5472000/1438"
["FocalPlaneYResolution"]=>
string(11) "3648000/958"
["FocalPlaneResolutionUnit"]=>
int(2)
["CustomRendered"]=>
int(0)
["ExposureMode"]=>
int(1)
["WhiteBalance"]=>
int(0)
["SceneCaptureType"]=>
int(0)
["UndefinedTag:0xA431"]=>
string(12) "002099000358"
["UndefinedTag:0xA432"]=>
array(4) {
[0]=>
string(4) "24/1"
[1]=>
string(5) "105/1"
[2]=>
string(3) "0/0"
[3]=>
string(3) "0/0"
}
["UndefinedTag:0xA434"]=>
string(22) "EF24-105mm f/4L IS USM"
["UndefinedTag:0xA435"]=>
string(10) "000044bc4c"
}
......@@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg');
--EXPECTF--
Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
\ No newline at end of file
Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
......@@ -10,7 +10,9 @@ echo "Test\n";
var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg")));
?>
Done
--EXPECT--
--EXPECTF--
Test
int(76)
Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s%ebug62523_2.php on line %d
int(30)
Done
--TEST--
Bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE)
--SKIPIF--
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
--FILE--
<?php
var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72603.jpeg")));
?>
--EXPECTF--
Warning: exif_read_data(bug72603.jpeg): %s in %s%ebug72603.php on line %d
int(%d)
--TEST--
Bug 72618 (NULL Pointer Dereference in exif_process_user_comment)
--SKIPIF--
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
--FILE--
<?php
var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72618.jpg")));
?>
--EXPECTF--
Warning: exif_read_data(bug72618.jpg): %s in %s%ebug72618.php on line %d
int(%d)
......@@ -190,7 +190,7 @@ gdImagePtr gdImageCreateTrueColor (int sx, int sy)
return NULL;
}
if (overflow2(sizeof(int), sx)) {
if (overflow2(sizeof(int *), sx)) {
return NULL;
}
......@@ -599,15 +599,18 @@ void gdImageColorDeallocate (gdImagePtr im, int color)
void gdImageColorTransparent (gdImagePtr im, int color)
{
if (color < 0) {
return;
}
if (!im->trueColor) {
if((color >= im->colorsTotal)) {
return;
}
/* Make the old transparent color opaque again */
if (im->transparent != -1) {
im->alpha[im->transparent] = gdAlphaOpaque;
}
if (color > -1 && color < im->colorsTotal && color < gdMaxColors) {
im->alpha[color] = gdAlphaTransparent;
} else {
return;
}
}