-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exif crash on unknown encoding was fixed #293
Conversation
Good catch! Please add also some comment as it should be touched anyway once encoding_converter isn't dummy anymore. Also a test should be there ;) |
I don't quite catch what comment you mean. Could you, please? tell me where I can find information about the rules of making PHP tests? Thanks |
I meant just to put a small comment near your change like /* XXX this will fail again if encoding_converter delivers a real length */. Because once (and if) encoding_converter isn't dummy anymore, it'd deliver some real count of bytes and not always (size_t)-1. In that case the code you've fixed would fail again but with a comment it'd be easier to figure out. There are some docs about the test file sections here http://qa.php.net/phpt_details.php . Also in each ext dir is a 'tests' folder where the tests live, like in your case ext/exif/tests/ , so you can look at those and do yours by example. |
Comments added All bugs with zend_multibyte_encoding_converter was fixed in exif.
"Because once (and if) encoding_converter isn't dummy anymore, it'd deliver some real count of bytes and not always (size_t)-1" - but if it returns real size, it fills &len? |
Exactly, but the len isn't always SIZE_MAX ) |
ok. |
Ah, now I see what you mean /* XXX this will fail again if encoding_converter delivers a real length and doesn't fill len */ How do you come to "and doesn't fill len"? :) |
I changed comments :) |
hey, is this change also related to https://bugs.php.net/bug.php?id=62523 ? thanks |
@laruence looks not like that, this one is related to zend_multibyte_encoding_converter which starts to be present in 5.4 and is still a dummy in 5.5. But in the ticket it's mentioned to be reproduceable in 5.4, too. And the code path used looks similar. |
@weltling thanks :) |
This fix doesn't related to #62523 |
Can confirm that, sadly. Files from #62523 still fail with this PR. However some similarities are present. Here we deal with the zend encoding converter, in #62523 it's the same with mbstring. Not sure, shouldn't mbstring override zend handlers (if present)? I have to test that when I've more time. @Draal I have your test not passing on windows with vc9, here's the test diff http://belski.net/phpz/pulls/draal/exif_encoding_crash.out Most of the array keys look plausible, but there are some having binary data in it, namely ComponentsConfiguration, FileSource, SceneType, CFAPattern, UndefinedTag:0xEA1C. Sure those contain what they should? Had no chance yet to test on Linux, will do as soon as I got my hands there. |
And is that out what you see on your side? |
On linux is the same result. I think it is normal, because test crash image is a specially formed image (the original had 3MB size). |
So that's fine, the most important sections are correct, the others seem to be at least ok with their specs when I look here http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/EXIF.html Where could they come from is completely another story :) So please update the EXPECT section with that array, as now you expect bool(false) there and the test fails. |
I changed the test to check only php crash. |
Is it ok now? Can I close pull request? |
Please let it ripen, may be someone else could take a look. The PR will be closed after merge |
@Draal I am unable to reproduce the bug even with unpatched version with this test. The function exif_process_user_comment doesn't seem to even be called there, and ImageInfo.UserComment is NULL when parsing the test image. Does the test work for you? |
This test image crash on exif_process_unicode, |
@Draal still, I am unable to reproduce the problem with this test and unpatched code. Are there any special conditions or requirements for it to reproduce? |
it is strange. [draal@dev <exif_crash_fix>~/src/php-src/ext/exif/tests]$ /home/draal/tmp/php exif_encoding_crash.phpt |
Ошибка сегментирования = Segmentation fault |
@smalyshev This bug reproduce only on 32bit platform (But it is a platform independent bug in general). xp_field->size is any on 32bit platform : |
On 64bit platform bug exists return (size_t)-1 and check < 0 (it doesn't reproduce only because struct has zero value) dummy_encoding_converter (to=0x7ffff1f42e10, to_length=0x7ffff1f42e18, from=0x7ffff7fe5d90 " ", from_length=74, encoding_to=0x0, encoding_from=0x0) |
@Draal that's the thing, for me it doesn't call dummy_encoding_converter and doesn't return -1. Could you send me your compile options and php.ini to [email protected]? |
@smalyshev On branch PHP-5.4.13./buildconf --force gcc -v |
Maybe is time to close? |
@Draal well, I'd be happy if we could figure out why you see it and I do not... maybe somebody else on the internals list to confirm it? |
@smalyshev Did You build PHP for the 32bit platform and tried to reproduce the bug? |
@Draal yes, built it on 32-bit and it works fine on the file attached to this pull request. |
The code is definitely wrong and the fix seems ok, so, I'll merge soon as long as nobody's gonna beat me up. |
By: Draal Conflicts: configure.in main/php_version.h
* PHP-5.4: add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h
* PHP-5.5: add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h
Comment on behalf of mike at php.net: . |
* 'PHP-5.4' of git.php.net:php-src: (101 commits) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h Just SKIP that test on travis fix memory leak on error (from Coverity scan) Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag 5.4.21 release date When src->src is null this doesn't get initialized but it is still used, so the passed in *ze will point to unitialized memory. Hopefully src->src is never null, but just in case this initialization doesn't hurt. Fix typo Clean up this weird safe_emalloc() call Minor Coverity tweaks - Moved NULL check before dereferencing - Fixed possible NULL ptr dereference - Fixed possible uninitialized scalar variable usage (spotted by Coverity) Remove senseless check here - Fix extern declaration according to definition - Fix possible memory leak - Moved allocation to if block to make Coverity happy - Fixed possible memory leak Fix unitialized opened_path here - found by Coverity ...
* 'PHP-5.5' of git.php.net:php-src: (178 commits) Fixed bug #65939 (Space before ";" breaks php.ini parsing). (brainstorm at nopcode dot org) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h fix bug #65936 (dangling context pointer causes crash) remove TRAVIS check in test source Fixed compilation warning Just SKIP that test on travis Fixed issue #115 (path issue when using phar). fix memory leak on error (from Coverity scan) Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag 5.4.21 release date fix argument type & remove warning fix const warnings in intl methods When src->src is null this doesn't get initialized but it is still used, so the passed in *ze will point to unitialized memory. Hopefully src->src is never null, but just in case this initialization doesn't hurt. Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag fix possibility of access to *storedType without initialization 5.4.21 release date Fix typo These getpwnam('') tests are silly and not portable ...
* 'master' of git.php.net:php-src: (270 commits) Fixed bug #65939 (Space before ";" breaks php.ini parsing). (brainstorm at nopcode dot org) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h fix bug #65936 (dangling context pointer causes crash) remove TRAVIS check in test source Fixed compilation warning Just SKIP that test on travis Fixed issue #115 (path issue when using phar). fix memory leak on error (from Coverity scan) fix argument type & remove warning fix const warnings in intl methods Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag fix possibility of access to *storedType without initialization Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag 5.4.21 release date fix argument type & remove warning fix const warnings in intl methods When src->src is null this doesn't get initialized but it is still used, so the passed in *ze will point to unitialized memory. Hopefully src->src is never null, but just in case this initialization doesn't hurt. Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag ...
* master: (79 commits) ldap_escape() notes Increment version number, since this will be 5.5.6. Added Zend Debugger to the note about the load order (by trash4you at online dot de) Added a LICENSE file to make it easier for PECL binary distributions to conform with the license. Fix Coverity issue reporting wrong sizeof() Fixed bug #65939 (Space before ";" breaks php.ini parsing). (brainstorm at nopcode dot org) exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h fix bug #65936 (dangling context pointer causes crash) remove TRAVIS check in test source Fixed compilation warning Just SKIP that test on travis Fixed issue #115 (path issue when using phar). fix memory leak on error (from Coverity scan) fix argument type & remove warning fix const warnings in intl methods Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag fix possibility of access to *storedType without initialization Fix coverity issue with -1 returned by findOffset not being handled by getPreferredTag ... Conflicts: Zend/zend_compile.c ext/intl/collator/collator_create.c ext/intl/locale/locale_methods.c ext/intl/msgformat/msgformat_format.c ext/intl/msgformat/msgformat_parse.c
* 'PHP-5.4' of git.php.net:php-src: (65 commits) Add a couple more test cases to parse_url() tests fix missing change from 'tcp_socket' to the more common 'server' fix many parallel test issues Cleanup temp test file Fixed Bug #66034 (Segmentation Fault when constructor of PDO statement throws an exception) Typo fix: umknown -> unknown Fix bug #66008 5.4.23-dev Update NEWS Fixed Bug 64760 var_export() does not use full precision for floating-point numbers add bundled libzip LICENSE, as required by BSD License terms - Updated to version 2013.8 (2013h) remove "PHP 6" staff Fixed bug #65950 Field name truncation if the field name is bigger than 32 characters - Updated to version 2013.7 (2013g) Fix Coverity issue reporting wrong sizeof() exif NEWS add tests for bug #62523 Merged PR #293 (Exif crash on unknown encoding was fixed) By: Draal Conflicts: configure.in main/php_version.h Just SKIP that test on travis ...
zend_multibyte_encoding_converter returns size_t type
size_t is unsigned integer, so condition <0 is false on dummy_encoding_converter ((size_t)-1) and exif_process_unicode returns unfilled xp_field->size