ext_gd: exif_process_IFD_TAG: Use the right offset if reading from st…

…ream

Summary:
When the location of the data is outside of the range we have
preloaded (for example, if it's before the beginning of the IFD
structure), we have to read it from the stream into a separate buffer.
The offset calculations in this case were incorrect, resulting in
bogus values being read for the affected fields (sometimes parts of
other fields, sometimes binary data).

The included test image, sourced from [1], is in the public domain.

[1] https://commons.wikimedia.org/wiki/File:U.S._Marines_Prepare_to_board_an_MV-22_Osprey_160509-M-AF202-041.jpg

(This is the same fix as PHP commit c794d53c0377be960a17c3279715436e405b83f4 / php/php-src#1943.)
Closes #7208

Reviewed By: Orvid

Differential Revision: D3518486

fbshipit-source-id: e0560e9455177d873b9494f736fb140810b25633

hphp/runtime/ext/gd/ext_gd.cpp

@@ -6585,12 +6585,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry,
       }
 
       fpos = ImageInfo->infile->tell();
-      ImageInfo->infile->seek(offset_val, SEEK_SET);
+      ImageInfo->infile->seek(displacement+offset_val, SEEK_SET);
       fgot = ImageInfo->infile->tell();
-      if (fgot!=offset_val) {
+      if (fgot!=displacement+offset_val) {
         if (outside) IM_FREE(outside);
         raise_warning("Wrong file pointer: 0x%08lX != 0x%08lX",
-                        fgot, offset_val);
+                        fgot, displacement+offset_val);
         return 0;
       }
       String str = ImageInfo->infile->read(byte_count);

hphp/test/tools/import_zend_test.py

@@ -700,6 +700,7 @@
     '/ext/dom/tests/xinclude.xml',
     '/ext/exif/tests/bug34704.jpg',
     '/ext/exif/tests/bug48378.jpeg',
+    '/ext/exif/tests/bug50845.jpg',
     '/ext/exif/tests/bug60150.jpg',
     '/ext/exif/tests/bug62523_1.jpg',
     '/ext/exif/tests/bug62523_2.jpg',

hphp/test/zend/.gitattributes

@@ -355,6 +355,7 @@ good/ext/date/tests/bug65371.php binary
 good/ext/date/tests/bug65371.php.expectf binary
 good/ext/exif/tests/bug34704.jpg binary
 good/ext/exif/tests/bug48378.jpeg binary
+good/ext/exif/tests/bug50845.jpg binary
 good/ext/exif/tests/bug60150.jpg binary
 good/ext/exif/tests/bug62523_2.jpg binary
 good/ext/exif/tests/exif_encoding_crash.jpg binary

hphp/test/zend/good/ext/exif/tests/bug50845.php

@@ -0,0 +1,3 @@
+<?php
+$infile = dirname(__FILE__).'/bug50845.jpg';
+var_dump(exif_read_data($infile));

hphp/test/zend/good/ext/exif/tests/bug50845.php.expectf

@@ -0,0 +1,131 @@
+array(44) {
+  ["FileName"]=>
+  string(12) "bug50845.jpg"
+  ["FileDateTime"]=>
+  int(%d)
+  ["FileSize"]=>
+  int(803603)
+  ["FileType"]=>
+  int(2)
+  ["MimeType"]=>
+  string(10) "image/jpeg"
+  ["SectionsFound"]=>
+  string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
+  ["COMPUTED"]=>
+  array(9) {
+    ["html"]=>
+    string(26) "width="5472" height="3648""
+    ["Height"]=>
+    int(3648)
+    ["Width"]=>
+    int(5472)
+    ["IsColor"]=>
+    int(1)
+    ["ByteOrderMotorola"]=>
+    int(0)
+    ["ApertureFNumber"]=>
+    string(5) "f/7.1"
+    ["Copyright"]=>
+    string(13) "Public Domain"
+    ["Thumbnail.FileType"]=>
+    int(2)
+    ["Thumbnail.MimeType"]=>
+    string(10) "image/jpeg"
+  }
+  ["ImageDescription"]=>
+  string(295) "A U.S. Marine Corps MV-22 Osprey lands on the USS Whidbey Island (LSD-41), May 5, 2016. The vehicles were loaded to support a theater security cooperation event as a part of a MEU readiness exercise. (U.S. Marine Corps photo by Lance Cpl. Koby I. Saunders/22 Marine Expeditionary Unit/ Released)"
+  ["Make"]=>
+  string(5) "Canon"
+  ["Model"]=>
+  string(22) "Canon EOS-1D X Mark II"
+  ["Orientation"]=>
+  int(1)
+  ["XResolution"]=>
+  string(5) "240/1"
+  ["YResolution"]=>
+  string(5) "240/1"
+  ["ResolutionUnit"]=>
+  int(2)
+  ["Artist"]=>
+  string(24) "Lance Cpl. Koby Saunders"
+  ["Copyright"]=>
+  string(13) "Public Domain"
+  ["Exif_IFD_Pointer"]=>
+  int(12572)
+  ["THUMBNAIL"]=>
+  array(6) {
+    ["Compression"]=>
+    int(6)
+    ["XResolution"]=>
+    string(5) "240/1"
+    ["YResolution"]=>
+    string(5) "240/1"
+    ["ResolutionUnit"]=>
+    int(2)
+    ["JPEGInterchangeFormat"]=>
+    int(860)
+    ["JPEGInterchangeFormatLength"]=>
+    int(11204)
+  }
+  ["ExposureTime"]=>
+  string(5) "1/200"
+  ["FNumber"]=>
+  string(5) "71/10"
+  ["ExposureProgram"]=>
+  int(1)
+  ["ISOSpeedRatings"]=>
+  int(100)
+  ["UndefinedTag:0x8830"]=>
+  int(2)
+  ["UndefinedTag:0x8832"]=>
+  int(100)
+  ["ExifVersion"]=>
+  string(4) "0230"
+  ["ShutterSpeedValue"]=>
+  string(15) "7643856/1000000"
+  ["ApertureValue"]=>
+  string(15) "5655638/1000000"
+  ["ExposureBiasValue"]=>
+  string(3) "0/1"
+  ["MaxApertureValue"]=>
+  string(3) "4/1"
+  ["MeteringMode"]=>
+  int(5)
+  ["Flash"]=>
+  int(16)
+  ["FocalLength"]=>
+  string(4) "24/1"
+  ["ColorSpace"]=>
+  int(65535)
+  ["FocalPlaneXResolution"]=>
+  string(12) "5472000/1438"
+  ["FocalPlaneYResolution"]=>
+  string(11) "3648000/958"
+  ["FocalPlaneResolutionUnit"]=>
+  int(2)
+  ["CustomRendered"]=>
+  int(0)
+  ["ExposureMode"]=>
+  int(1)
+  ["WhiteBalance"]=>
+  int(0)
+  ["SceneCaptureType"]=>
+  int(0)
+  ["UndefinedTag:0xA431"]=>
+  string(12) "002099000358"
+  ["UndefinedTag:0xA432"]=>
+  array(4) {
+    [0]=>
+    string(4) "24/1"
+    [1]=>
+    string(5) "105/1"
+    [2]=>
+    string(3) "0/0"
+    [3]=>
+    string(3) "0/0"
+  }
+  ["UndefinedTag:0xA434"]=>
+  string(22) "EF24-105mm f/4L IS USM"
+  ["UndefinedTag:0xA435"]=>
+  string(10) "000044bc4c"
+}

hphp/test/zend/good/ext/exif/tests/bug50845.php.skipif

@@ -0,0 +1 @@
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>