mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Check validity of seeks.
WS/CS
This commit is contained in:
parent
b6a3f48d86
commit
4911e83bec
@ -363,7 +363,7 @@ static unsigned short php_read2(php_stream * stream TSRMLS_DC)
|
||||
/* just return 0 if we hit the end-of-file */
|
||||
if((php_stream_read(stream, a, sizeof(a))) <= 0) return 0;
|
||||
|
||||
return (((unsigned short) a[ 0 ]) << 8) + ((unsigned short) a[ 1 ]);
|
||||
return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]);
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
@ -374,7 +374,7 @@ static unsigned int php_next_marker(php_stream * stream, int last_marker, int co
|
||||
int a=0, marker;
|
||||
|
||||
/* get marker byte, swallowing possible padding */
|
||||
if ( last_marker==M_COM && comment_correction) {
|
||||
if (last_marker==M_COM && comment_correction) {
|
||||
/* some software does not count the length bytes of COM section */
|
||||
/* one company doing so is very much envolved in JPEG... so we accept too */
|
||||
/* by the way: some of those companies changed their code now... */
|
||||
@ -383,7 +383,7 @@ static unsigned int php_next_marker(php_stream * stream, int last_marker, int co
|
||||
last_marker = 0;
|
||||
comment_correction = 0;
|
||||
}
|
||||
if ( ff_read) {
|
||||
if (ff_read) {
|
||||
a = 1; /* already read 0xff in filetype detection */
|
||||
}
|
||||
do {
|
||||
@ -391,9 +391,9 @@ static unsigned int php_next_marker(php_stream * stream, int last_marker, int co
|
||||
{
|
||||
return M_EOI;/* we hit EOF */
|
||||
}
|
||||
if ( last_marker==M_COM && comment_correction>0)
|
||||
if (last_marker==M_COM && comment_correction>0)
|
||||
{
|
||||
if ( marker != 0xFF)
|
||||
if (marker != 0xFF)
|
||||
{
|
||||
marker = 0xff;
|
||||
comment_correction--;
|
||||
@ -401,14 +401,14 @@ static unsigned int php_next_marker(php_stream * stream, int last_marker, int co
|
||||
last_marker = M_PSEUDO; /* stop skipping non 0xff for M_COM */
|
||||
}
|
||||
}
|
||||
if ( ++a > 10)
|
||||
if (++a > 10)
|
||||
{
|
||||
/* who knows the maxim amount of 0xff? though 7 */
|
||||
/* but found other implementations */
|
||||
return M_EOI;
|
||||
}
|
||||
} while ( marker == 0xff);
|
||||
if ( a < 2)
|
||||
} while (marker == 0xff);
|
||||
if (a < 2)
|
||||
{
|
||||
return M_EOI; /* at least one 0xff is needed before marker code */
|
||||
}
|
||||
@ -422,35 +422,39 @@ static unsigned int php_next_marker(php_stream * stream, int last_marker, int co
|
||||
|
||||
/* {{{ php_skip_variable
|
||||
* skip over a variable-length block; assumes proper length marker */
|
||||
static void php_skip_variable(php_stream * stream TSRMLS_DC)
|
||||
static int php_skip_variable(php_stream * stream TSRMLS_DC)
|
||||
{
|
||||
off_t length = ((unsigned int)php_read2(stream TSRMLS_CC));
|
||||
|
||||
length = length-2;
|
||||
if (length)
|
||||
{
|
||||
php_stream_seek(stream, (long)length, SEEK_CUR);
|
||||
if (length < 2) {
|
||||
return 0;
|
||||
}
|
||||
length = length - 2;
|
||||
php_stream_seek(stream, (long)length, SEEK_CUR);
|
||||
return 1;
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
/* {{{ php_read_APP
|
||||
*/
|
||||
static void php_read_APP(php_stream * stream, unsigned int marker, zval *info TSRMLS_DC)
|
||||
static int php_read_APP(php_stream * stream, unsigned int marker, zval *info TSRMLS_DC)
|
||||
{
|
||||
unsigned short length;
|
||||
unsigned char *buffer;
|
||||
unsigned char markername[ 16 ];
|
||||
unsigned char markername[16];
|
||||
zval *tmp;
|
||||
|
||||
length = php_read2(stream TSRMLS_CC);
|
||||
if (length < 2) {
|
||||
return 0;
|
||||
}
|
||||
length -= 2; /* length includes itself */
|
||||
|
||||
buffer = emalloc(length);
|
||||
|
||||
if (php_stream_read(stream, buffer, (long) length) <= 0) {
|
||||
efree(buffer);
|
||||
return;
|
||||
return 0;
|
||||
}
|
||||
|
||||
sprintf(markername, "APP%d", marker - M_APP0);
|
||||
@ -461,6 +465,7 @@ static void php_read_APP(php_stream * stream, unsigned int marker, zval *info TS
|
||||
}
|
||||
|
||||
efree(buffer);
|
||||
return 1;
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
@ -497,12 +502,16 @@ static struct gfxinfo *php_handle_jpeg (php_stream * stream, pval *info TSRMLS_D
|
||||
result->height = php_read2(stream TSRMLS_CC);
|
||||
result->width = php_read2(stream TSRMLS_CC);
|
||||
result->channels = php_stream_getc(stream);
|
||||
if (!info || length<8) /* if we don't want an extanded info -> return */
|
||||
if (!info || length < 8) { /* if we don't want an extanded info -> return */
|
||||
return result;
|
||||
if (php_stream_seek(stream, length-8, SEEK_CUR)) /* file error after info */
|
||||
}
|
||||
if (php_stream_seek(stream, length - 8, SEEK_CUR)) { /* file error after info */
|
||||
return result;
|
||||
}
|
||||
} else {
|
||||
php_skip_variable(stream TSRMLS_CC);
|
||||
if (!php_skip_variable(stream TSRMLS_CC)) {
|
||||
return result;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
@ -523,18 +532,24 @@ static struct gfxinfo *php_handle_jpeg (php_stream * stream, pval *info TSRMLS_D
|
||||
case M_APP14:
|
||||
case M_APP15:
|
||||
if (info) {
|
||||
php_read_APP(stream, marker, info TSRMLS_CC); /* read all the app markes... */
|
||||
if (!php_read_APP(stream, marker, info TSRMLS_CC)) { /* read all the app markes... */
|
||||
return result;
|
||||
}
|
||||
} else {
|
||||
php_skip_variable(stream TSRMLS_CC);
|
||||
if (!php_skip_variable(stream TSRMLS_CC)) {
|
||||
return result;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
case M_SOS:
|
||||
case M_EOI:
|
||||
return result; /* we're about to hit image data, or are at EOF. stop processing. */
|
||||
|
||||
|
||||
default:
|
||||
php_skip_variable(stream TSRMLS_CC); /* anything else isn't interesting */
|
||||
if (!php_skip_variable(stream TSRMLS_CC)) { /* anything else isn't interesting */
|
||||
return result;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user