Exif crash on unknown encoding was fixed#293
Conversation
|
Good catch! Please add also some comment as it should be touched anyway once encoding_converter isn't dummy anymore. Also a test should be there ;) |
|
I don't quite catch what comment you mean. Could you, please? tell me where I can find information about the rules of making PHP tests? Thanks |
|
I meant just to put a small comment near your change like /* XXX this will fail again if encoding_converter delivers a real length */. Because once (and if) encoding_converter isn't dummy anymore, it'd deliver some real count of bytes and not always (size_t)-1. In that case the code you've fixed would fail again but with a comment it'd be easier to figure out. There are some docs about the test file sections here http://qa.php.net/phpt_details.php . Also in each ext dir is a 'tests' folder where the tests live, like in your case ext/exif/tests/ , so you can look at those and do yours by example. |
Comments added All bugs with zend_multibyte_encoding_converter was fixed in exif.
|
"Because once (and if) encoding_converter isn't dummy anymore, it'd deliver some real count of bytes and not always (size_t)-1" - but if it returns real size, it fills &len? |
|
Exactly, but the len isn't always SIZE_MAX ) |
|
ok. |
|
Ah, now I see what you mean /* XXX this will fail again if encoding_converter delivers a real length and doesn't fill len */ How do you come to "and doesn't fill len"? :) |
|
I changed comments :) |
|
hey, is this change also related to https://bugs.php.net/bug.php?id=62523 ? thanks |
|
@laruence looks not like that, this one is related to zend_multibyte_encoding_converter which starts to be present in 5.4 and is still a dummy in 5.5. But in the ticket it's mentioned to be reproduceable in 5.4, too. And the code path used looks similar. |
|
@weltling thanks :) |
|
This fix doesn't related to #62523 |
|
Can confirm that, sadly. Files from #62523 still fail with this PR. However some similarities are present. Here we deal with the zend encoding converter, in #62523 it's the same with mbstring. Not sure, shouldn't mbstring override zend handlers (if present)? I have to test that when I've more time. @Draal I have your test not passing on windows with vc9, here's the test diff http://belski.net/phpz/pulls/draal/exif_encoding_crash.out Most of the array keys look plausible, but there are some having binary data in it, namely ComponentsConfiguration, FileSource, SceneType, CFAPattern, UndefinedTag:0xEA1C. Sure those contain what they should? Had no chance yet to test on Linux, will do as soon as I got my hands there. |
|
And is that out what you see on your side? |
|
On linux is the same result. I think it is normal, because test crash image is a specially formed image (the original had 3MB size). |
|
So that's fine, the most important sections are correct, the others seem to be at least ok with their specs when I look here http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/EXIF.html Where could they come from is completely another story :) So please update the EXPECT section with that array, as now you expect bool(false) there and the test fails. |
|
I changed the test to check only php crash. |
|
Is it ok now? Can I close pull request? |
|
Please let it ripen, may be someone else could take a look. The PR will be closed after merge |
ghost
assigned
|
@Draal I am unable to reproduce the bug even with unpatched version with this test. The function exif_process_user_comment doesn't seem to even be called there, and ImageInfo.UserComment is NULL when parsing the test image. Does the test work for you? |
|
This test image crash on exif_process_unicode, |
|
@Draal still, I am unable to reproduce the problem with this test and unpatched code. Are there any special conditions or requirements for it to reproduce? |
|
it is strange. [draal@dev <exif_crash_fix>~/src/php-src/ext/exif/tests]$ /home/draal/tmp/php exif_encoding_crash.phpt |
|
Ошибка сегментирования = Segmentation fault |
|
@smalyshev This bug reproduce only on 32bit platform (But it is a platform independent bug in general). xp_field->size is any on 32bit platform : |
|
On 64bit platform bug exists return (size_t)-1 and check < 0 (it doesn't reproduce only because struct has zero value) dummy_encoding_converter (to=0x7ffff1f42e10, to_length=0x7ffff1f42e18, from=0x7ffff7fe5d90 " ", from_length=74, encoding_to=0x0, encoding_from=0x0) |
|
@Draal that's the thing, for me it doesn't call dummy_encoding_converter and doesn't return -1. Could you send me your compile options and php.ini to [email protected]? |
|
@smalyshev On branch PHP-5.4.13./buildconf --force gcc -v |
|
Maybe is time to close? |
|
@Draal well, I'd be happy if we could figure out why you see it and I do not... maybe somebody else on the internals list to confirm it? |
|
@smalyshev Did You build PHP for the 32bit platform and tried to reproduce the bug? |
|
@Draal yes, built it on 32-bit and it works fine on the file attached to this pull request. |
|
The code is definitely wrong and the fix seems ok, so, I'll merge soon as long as nobody's gonna beat me up. |
By: Draal Conflicts: configure.in main/php_version.h
* PHP-5.4: add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h
* PHP-5.5: add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h
|
Comment on behalf of mike at php.net: . |
* 'PHP-5.4' of git.php.net:php-src: (101 commits) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h Just SKIP that test on travis fix memory leak on error (from Coverity scan) Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag 5.4.21 release date When src->src is null this doesn't get initialized but it is still used, so the passed in *ze will point to unitialized memory. Hopefully src->src is never null, but just in case this initialization doesn't hurt. Fix typo Clean up this weird safe_emalloc() call Minor Coverity tweaks - Moved NULL check before dereferencing - Fixed possible NULL ptr dereference - Fixed possible uninitialized scalar variable usage (spotted by Coverity) Remove senseless check here - Fix extern declaration according to definition - Fix possible memory leak - Moved allocation to if block to make Coverity happy - Fixed possible memory leak Fix unitialized opened_path here - found by Coverity ...
* 'PHP-5.5' of git.php.net:php-src: (178 commits) Fixed bug #65939 (Space before ";" breaks php.ini parsing). (brainstorm at nopcode dot org) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h fix bug #65936 (dangling context pointer causes crash) remove TRAVIS check in test source Fixed compilation warning Just SKIP that test on travis Fixed issue #115 (path issue when using phar). fix memory leak on error (from Coverity scan) Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag 5.4.21 release date fix argument type & remove warning fix const warnings in intl methods When src->src is null this doesn't get initialized but it is still used, so the passed in *ze will point to unitialized memory. Hopefully src->src is never null, but just in case this initialization doesn't hurt. Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag fix possibility of access to *storedType without initialization 5.4.21 release date Fix typo These getpwnam('') tests are silly and not portable ...
* 'master' of git.php.net:php-src: (270 commits) Fixed bug #65939 (Space before ";" breaks php.ini parsing). (brainstorm at nopcode dot org) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h fix bug #65936 (dangling context pointer causes crash) remove TRAVIS check in test source Fixed compilation warning Just SKIP that test on travis Fixed issue #115 (path issue when using phar). fix memory leak on error (from Coverity scan) fix argument type & remove warning fix const warnings in intl methods Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag fix possibility of access to *storedType without initialization Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag 5.4.21 release date fix argument type & remove warning fix const warnings in intl methods When src->src is null this doesn't get initialized but it is still used, so the passed in *ze will point to unitialized memory. Hopefully src->src is never null, but just in case this initialization doesn't hurt. Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag ...
* master: (79 commits) ldap_escape() notes Increment version number, since this will be 5.5.6. Added Zend Debugger to the note about the load order (by trash4you at online dot de) Added a LICENSE file to make it easier for PECL binary distributions to conform with the license. Fix Coverity issue reporting wrong sizeof() Fixed bug #65939 (Space before ";" breaks php.ini parsing). (brainstorm at nopcode dot org) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h fix bug #65936 (dangling context pointer causes crash) remove TRAVIS check in test source Fixed compilation warning Just SKIP that test on travis Fixed issue #115 (path issue when using phar). fix memory leak on error (from Coverity scan) fix argument type & remove warning fix const warnings in intl methods Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag fix possibility of access to *storedType without initialization Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag ... Conflicts: Zend/zend_compile.c ext/intl/collator/collator_create.c ext/intl/locale/locale_methods.c ext/intl/msgformat/msgformat_format.c ext/intl/msgformat/msgformat_parse.c
* 'PHP-5.4' of git.php.net:php-src: (65 commits) Add a couple more test cases to parse_url() tests fix missing change from 'tcp_socket' to the more common 'server' fix many parallel test issues Cleanup temp test file Fixed Bug #66034 (Segmentation Fault when constructor of PDO statement throws an exception) Typo fix: umknown -> unknown Fix bug #66008 5.4.23-dev Update NEWS Fixed Bug 64760 var_export() does not use full precision for floating-point numbers add bundled libzip LICENSE, as required by BSD License terms - Updated to version 2013.8 (2013h) remove "PHP 6" staff Fixed bug #65950 Field name truncation if the field name is bigger than 32 characters - Updated to version 2013.7 (2013g) Fix Coverity issue reporting wrong sizeof() exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h Just SKIP that test on travis ...
7 participants
zend_multibyte_encoding_converter returns size_t type
size_t is unsigned integer, so condition <0 is false on dummy_encoding_converter ((size_t)-1) and exif_process_unicode returns unfilled xp_field->size