mirror of
https://github.com/php/php-src.git
synced 2024-09-24 03:17:26 +00:00
Merge branch 'bug68799' into PHP-5.4
* bug68799: Fix bug #68799: Free called on unitialized pointer
This commit is contained in:
commit
fc6aa939f5
5
NEWS
5
NEWS
@ -2,7 +2,10 @@ PHP NEWS
|
||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? 20?? PHP 5.4.37
|
||||
- CGI:
|
||||
. Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
|
||||
. Fixed bug #68618 (out of bounds read crashes php-cgi). (Stas)
|
||||
|
||||
- EXIF:
|
||||
. Fix bug #68799: Free called on unitialized pointer. (CVE-2015-0232) (Stas)
|
||||
|
||||
- Fileinfo:
|
||||
. Removed readelf.c and related code from libmagic sources
|
||||
|
@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
|
||||
static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
|
||||
{
|
||||
xp_field->tag = tag;
|
||||
|
||||
xp_field->value = NULL;
|
||||
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
|
||||
if (zend_multibyte_encoding_converter(
|
||||
(unsigned char**)&xp_field->value,
|
||||
|
BIN
ext/exif/tests/bug68799.jpg
Normal file
BIN
ext/exif/tests/bug68799.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 735 B |
63
ext/exif/tests/bug68799.phpt
Normal file
63
ext/exif/tests/bug68799.phpt
Normal file
@ -0,0 +1,63 @@
|
||||
--TEST--
|
||||
Bug #68799 (Free called on unitialized pointer)
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
|
||||
--FILE--
|
||||
<?php
|
||||
/*
|
||||
* Pollute the heap. Helps trigger bug. Sometimes not needed.
|
||||
*/
|
||||
class A {
|
||||
function __construct() {
|
||||
$a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
|
||||
$this->a = $a . $a . $a . $a . $a . $a;
|
||||
}
|
||||
};
|
||||
|
||||
function doStuff ($limit) {
|
||||
|
||||
$a = new A;
|
||||
|
||||
$b = array();
|
||||
for ($i = 0; $i < $limit; $i++) {
|
||||
$b[$i] = clone $a;
|
||||
}
|
||||
|
||||
unset($a);
|
||||
|
||||
gc_collect_cycles();
|
||||
}
|
||||
|
||||
$iterations = 3;
|
||||
|
||||
doStuff($iterations);
|
||||
doStuff($iterations);
|
||||
|
||||
gc_collect_cycles();
|
||||
|
||||
print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
|
||||
|
||||
?>
|
||||
--EXPECTF--
|
||||
Array
|
||||
(
|
||||
[FileName] => bug68799.jpg
|
||||
[FileDateTime] => %d
|
||||
[FileSize] => 735
|
||||
[FileType] => 2
|
||||
[MimeType] => image/jpeg
|
||||
[SectionsFound] => ANY_TAG, IFD0, WINXP
|
||||
[COMPUTED] => Array
|
||||
(
|
||||
[html] => width="1" height="1"
|
||||
[Height] => 1
|
||||
[Width] => 1
|
||||
[IsColor] => 1
|
||||
[ByteOrderMotorola] => 1
|
||||
)
|
||||
|
||||
[XResolution] => 96/1
|
||||
[YResolution] => 96/1
|
||||
[ResolutionUnit] => 2
|
||||
[Author] =>
|
||||
)
|
Loading…
Reference in New Issue
Block a user