Fix GH-9397: exif read : warnings and errors : Potentially invalid en…

…dianess, Illegal IFD size and Undefined index Don't misinterpret DJI info maker note as DJI maker note. The DJI and DJI info maker note both share the "DJI" make string. This caused the current code to try to interpret the DJI info maker note as a DJI maker note. However, the DJI info maker note requires custom parsing. Therefore, the misinterpretation actually caused the current code to believe that there was an unrecoverable error in the IFD for the maker note by returning false in the maker note parser. This in turn caused the inability to parse other EXIF metadata. This patch adds the identification of the DJI info maker note so that it cannot be misinterpreted. Since we don't implement custom parsing, it achieves this by setting the tag list to a special marker value (in this case the NULL pointer). When this marker value is detected, the function will just skip parsing the maker note and return true. Therefore, the other code will believe that the IFD is not corrupt. This approach is similar to handing an unrecognised maker note type (see the loop on top of exif_process_IFD_in_MAKERNOTE() which also returns true and treats it as a string). The end result of this patch is that the DJI info maker note is considered as unknown to the caller of exif_process_IFD_in_MAKERNOTE(), and therefore that the other EXIF metadata can be parsed successfully. Also fix debug output typos in exif. Closes GH-10470.
php · Apr 5, 2023 · b81ce29 · b81ce29
1 parent 0579beb
commit b81ce29
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/NEWS b/NEWS
@@ -14,6 +14,10 @@ PHP                                                                        NEWS
     (Nathan Freeman)
   . Fixed incorrect error handling in dom_zvals_to_fragment(). (nielsdos)
 
+- Exif:
+  . Fixed bug GH-9397 (exif read : warnings and errors : Potentially invalid
+    endianess, Illegal IFD size and Undefined index). (nielsdos)
+
 - PCRE:
   . Fixed bug GH-10968 (Segfault in preg_replace_callback_array()). (ilutov)
 

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -1277,6 +1277,9 @@ typedef struct {
 	mn_offset_mode_t offset_mode;
 } maker_note_type;
 
+/* Some maker notes (e.g. DJI info tag) require custom parsing */
+#define REQUIRES_CUSTOM_PARSING NULL
+
 /* Remember to update PHP_MINFO if updated */
 static const maker_note_type maker_note_array[] = {
   { tag_table_VND_CANON,     "Canon",                   NULL,								0,  0,  MN_ORDER_INTEL,    MN_OFFSET_NORMAL},
@@ -1287,6 +1290,7 @@ static const maker_note_type maker_note_array[] = {
   { tag_table_VND_OLYMPUS,   "OLYMPUS OPTICAL CO.,LTD", "OLYMP\x00\x01\x00",				8,  8,  MN_ORDER_NORMAL,   MN_OFFSET_NORMAL},
   { tag_table_VND_SAMSUNG,   "SAMSUNG",                 NULL,								0,  0,  MN_ORDER_NORMAL,   MN_OFFSET_NORMAL},
   { tag_table_VND_PANASONIC, "Panasonic",               "Panasonic\x00\x00\x00",			12, 12, MN_ORDER_NORMAL,   MN_OFFSET_NORMAL},
+  { REQUIRES_CUSTOM_PARSING, "DJI",                     "[ae_dbg_info:",					13, 13, MN_ORDER_MOTOROLA, MN_OFFSET_NORMAL},
   { tag_table_VND_DJI,       "DJI",                     NULL,								0,  0,  MN_ORDER_NORMAL,   MN_OFFSET_NORMAL},
   { tag_table_VND_SONY,      "SONY",                    "SONY DSC \x00\x00\x00",			12, 12, MN_ORDER_NORMAL,   MN_OFFSET_NORMAL},
   { tag_table_VND_SONY,      "SONY",                    NULL,								0,  0,  MN_ORDER_NORMAL,   MN_OFFSET_NORMAL},
@@ -3168,10 +3172,16 @@ static bool exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * val
 		return true;
 	}
 
+	if (UNEXPECTED(maker_note->tag_table == REQUIRES_CUSTOM_PARSING)) {
+		/* Custom parsing required, which is not implemented at this point
+		 * Return true so that other metadata can still be parsed. */
+		return true;
+	}
+
 	dir_start = value_ptr + maker_note->offset;
 
 #ifdef EXIF_DEBUG
-	exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Process %s @x%04X + 0x%04X=%d: %s", exif_get_sectionname(section_index), (intptr_t)dir_start-(intptr_t)info->offset_base+maker_note->offset+displacement, value_len, value_len, exif_char_dump(value_ptr, value_len, (intptr_t)dir_start-(intptr_t)info->offset_base+maker_note->offset+displacement));
+	exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Process %s @0x%04X + 0x%04X=%d: %s", exif_get_sectionname(section_index), (intptr_t)dir_start-(intptr_t)info->offset_base+maker_note->offset+displacement, value_len, value_len, exif_char_dump(value_ptr, value_len, (intptr_t)dir_start-(intptr_t)info->offset_base+maker_note->offset+displacement));
 #endif
 
 	ImageInfo->sections_found |= FOUND_MAKERNOTE;
@@ -3330,7 +3340,7 @@ static bool exif_process_IFD_TAG_impl(image_info_type *ImageInfo, char *dir_entr
 #ifdef EXIF_DEBUG
 	dump_data = exif_dump_data(&dump_free, format, components, ImageInfo->motorola_intel, value_ptr);
 	exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE,
-		"Process tag(x%04X=%s,@x%04X + x%04X(=%d)): %s%s %s",
+		"Process tag(x%04X=%s,@0x%04X + x%04X(=%d)): %s%s %s",
 		tag, exif_get_tagname_debug(tag, tag_table), offset_val+displacement, byte_count, byte_count, (components>1)&&format!=TAG_FMT_UNDEFINED&&format!=TAG_FMT_STRING?"ARRAY OF ":"", exif_get_tagformat(format), dump_data);
 	if (dump_free) {
 		efree(dump_data);
@@ -4173,7 +4183,7 @@ static bool exif_process_IFD_in_TIFF_impl(image_info_type *ImageInfo, size_t dir
 						}
 						entry_offset = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
 #ifdef EXIF_DEBUG
-						exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s @x%04X", exif_get_sectionname(sub_section_index), entry_offset);
+						exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s @0x%04X", exif_get_sectionname(sub_section_index), entry_offset);
 #endif
 						exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index);
 						if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) {