Limit the amount of errors generated during exif parsing

Emitting errors is fairly expensive, to the point that parsing a file with a huge number of invalid tags can take seconds. Generating ten thousand errors is unlikely to help anybody, but constitutes a potential DOS vector.
php · Oct 18, 2019 · e5324a2 · e5324a2
1 parent 81806db
commit e5324a2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 54 deletions.
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -1939,16 +1939,29 @@ typedef struct {
 	int             read_thumbnail;
 	int             read_all;
 	int             ifd_nesting_level;
+	int             num_errors;
 	/* internal */
 	file_section_list 	file;
 } image_info_type;
 /* }}} */
 
+#define EXIF_MAX_ERRORS 10
+
 /* {{{ exif_error_docref */
-static void exif_error_docref(const char *docref EXIFERR_DC, const image_info_type *ImageInfo, int type, const char *format, ...)
+static void exif_error_docref(const char *docref EXIFERR_DC, image_info_type *ImageInfo, int type, const char *format, ...)
 {
 	va_list args;
 
+	if (ImageInfo) {
+		if (++ImageInfo->num_errors > EXIF_MAX_ERRORS) {
+			if (ImageInfo->num_errors == EXIF_MAX_ERRORS+1) {
+				php_error_docref(docref, type,
+					"Further exif parsing errors have been suppressed");
+			}
+			return;
+		}
+	}
+
 	va_start(args, format);
 #ifdef EXIF_DEBUG
 	{
@@ -4337,6 +4350,7 @@ static int exif_read_from_impl(image_info_type *ImageInfo, php_stream *stream, i
 
 
 	ImageInfo->ifd_nesting_level = 0;
+	ImageInfo->num_errors = 0;
 
 	/* Scan the headers */
 	ret = exif_scan_FILE_header(ImageInfo);

diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
@@ -28,52 +28,6 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
 
 Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
 
-Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote  ): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(%s) in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
-
-Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in %sbug76557.php on line %d
+Warning: exif_read_data(): Further exif parsing errors have been suppressed in %s on line %d
 bool(false)
 DONE
diff --git a/ext/exif/tests/bug77753.phpt b/ext/exif/tests/bug77753.phpt
@@ -4,13 +4,9 @@ Bug #77753 (Heap-buffer-overflow in php_ifd_get32s)
 <?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
 --FILE--
 <?php
-var_dump(exif_read_data(__DIR__."/bug77753.tiff"));
+@var_dump(exif_read_data(__DIR__."/bug77753.tiff"));
 ?>
 DONE
 --EXPECTF--
-%A
-Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d
-
-Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d
 bool(false)
-DONE
+DONE