Overview

File php-CVE-2016-6292.patch of Package php5.10549

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=74b652b3ebe78882b8006d49c17cac029fe8a5d0;hp=760e7460c3ef9ff6b4ce6e0a76eedcf22ce0b517;hb=41131cd41d2fd2e0c2f332a27988df75659c42e4;hpb=f3feddb5b45b5abd93abb1a95044b7e099d51c84

Index: php-5.6.1/ext/exif/exif.c
===================================================================
--- php-5.6.1.orig/ext/exif/exif.c	2016-08-02 16:36:50.256552550 +0200
+++ php-5.6.1/ext/exif/exif.c	2016-08-02 16:42:45.814458736 +0200
@@ -2613,6 +2613,7 @@ static int exif_process_user_comment(ima
 	*pszEncoding = NULL;
 	/* Copy the comment */
 	if (ByteCount>=8) {
+		const zend_encoding *from, *to;
 		if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
 			*pszEncoding = estrdup((const char*)szValuePtr);
 			szValuePtr = szValuePtr+8;
@@ -2633,14 +2634,16 @@ static int exif_process_user_comment(ima
 			} else {
 				decode = ImageInfo->decode_unicode_le;
 			}
+			to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
+			from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
 			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
-			if (zend_multibyte_encoding_converter(
+			if (!to || !from || zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
 					(unsigned char*)szValuePtr,
 					ByteCount,
-					zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
-					zend_multibyte_fetch_encoding(decode TSRMLS_CC)
+					to,
+					from
 					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
@@ -2655,13 +2658,15 @@ static int exif_process_user_comment(ima
 			szValuePtr = szValuePtr+8;
 			ByteCount -= 8;
 			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
-			if (zend_multibyte_encoding_converter(
+			to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
+			from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
+			if (!to || !from || zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
 					(unsigned char*)szValuePtr,
 					ByteCount,
-					zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
-					zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
+					to,
+					from
 					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
openSUSE Build Service is sponsored by
Places