Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70598 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 750 invoked from network); 12 Dec 2013 06:01:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Dec 2013 06:01:38 -0000 Authentication-Results: pb1.pair.com header.from=tstarling@wikimedia.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tstarling@wikimedia.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain wikimedia.org designates 208.80.152.186 as permitted sender) X-PHP-List-Original-Sender: tstarling@wikimedia.org X-Host-Fingerprint: 208.80.152.186 mchenry.wikimedia.org Received: from [208.80.152.186] ([208.80.152.186:41526] helo=mchenry.wikimedia.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A1/EA-22966-E3159A25 for ; Thu, 12 Dec 2013 01:01:36 -0500 Received: from [2620:0:860:2:219:b9ff:fedd:86eb] (port=40089 helo=sanger.wikimedia.org) by mchenry.wikimedia.org with esmtp (Exim 4.69) (envelope-from ) id 1VqzL2-0001Ty-4a; Thu, 12 Dec 2013 06:01:32 +0000 Received: from cpe-110-146-160-183.knmu.knt.bigpond.net.au ([110.146.160.183]:57630 helo=[10.0.0.7]) by sanger.wikimedia.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1VqzL0-0007dN-MF; Thu, 12 Dec 2013 06:01:31 +0000 Message-ID: <52A95137.4050505@wikimedia.org> Date: Thu, 12 Dec 2013 17:01:27 +1100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: Stas Malyshev , internals Mailing List CC: Marcus Boerger References: <5281AE1C.4040108@wikimedia.org> <52A50402.6040303@sugarcrm.com> In-Reply-To: <52A50402.6040303@sugarcrm.com> X-Enigmail-Version: 1.5.2 OpenPGP: id=BF976370 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] EXIF integer overflow again From: tstarling@wikimedia.org (Tim Starling) On 09/12/13 10:42, Stas Malyshev wrote: > Hi! > >> I just wanted to plug https://bugs.php.net/bug.php?id=65873 , since >> it's been a month since I filed it and I've only had silence in >> response, despite sending a private email to Stas about it. > Could you check out this patch: https://github.com/php/php-src/pull/539 > It should fix this scenario. I commented there. > I couldn't add a test though since only > reproducing case is a 120M file and even for that special conditions are > required. If you have better reproduction that could be used on test > that would be most welcome. Well, reproduction requires that the file be bigger than the heap pointer, so to reproduce reliably, you really need both a large file and some control over the heap pointer. I think the best you could do in a .phpt would be to use an ENV section to customise the allocator, then craft a highly compressible TIFF file and gzinflate() it to a temporary directory during test execution. But even that would be system-dependent. -- Tim Starling