Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70599 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2449 invoked from network); 12 Dec 2013 06:07:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Dec 2013 06:07:44 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.53 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 74.125.82.53 mail-wg0-f53.google.com Received: from [74.125.82.53] ([74.125.82.53:58378] helo=mail-wg0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E2/4B-22966-EA259A25 for ; Thu, 12 Dec 2013 01:07:42 -0500 Received: by mail-wg0-f53.google.com with SMTP id k14so7576319wgh.32 for ; Wed, 11 Dec 2013 22:07:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fImpvWZykubhMyFaXZFU/XaqDx78WCSYOphJjIla1sI=; b=jH4ijIUjyi2WSMbHqv41BLFB/nc+HNEVBnKoJNySCWjAva86cuuM7tA41gXul9Rn1s Tb1Vdz/k1yiGXgwiu/l06cvBMtxUDTQv4fK0bFf7K4B85o/KriBdXaxAP/P11ZqwqBj5 hG+rkU0CvLmjiWUKWeJ/SuRm99Qetf3QI5DVEKJY4Kxd2m7U/b6mQyVFF2KWhCmsf29v WJgNPKMi99YIdrnHBpT4lbtTQojIyfFAvbLXhwDRGAzi3ofSnjwk7dQ9V+tT3vNQd5/N UJjUuoMbzOzqrWNcXCX4/mgoHbJZEkNpNF0EpzJ4M1VTg3vqXcb/3iZ3kQMt83tzQSHX VINw== MIME-Version: 1.0 X-Received: by 10.180.149.209 with SMTP id uc17mr5900202wib.61.1386828458961; Wed, 11 Dec 2013 22:07:38 -0800 (PST) Received: by 10.227.7.2 with HTTP; Wed, 11 Dec 2013 22:07:38 -0800 (PST) In-Reply-To: <52A95137.4050505@wikimedia.org> References: <5281AE1C.4040108@wikimedia.org> <52A50402.6040303@sugarcrm.com> <52A95137.4050505@wikimedia.org> Date: Thu, 12 Dec 2013 07:07:38 +0100 Message-ID: To: Tim Starling Cc: Stas Malyshev , internals Mailing List , Marcus Boerger Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] EXIF integer overflow again From: pierre.php@gmail.com (Pierre Joye) On Thu, Dec 12, 2013 at 7:01 AM, Tim Starling wrote: > On 09/12/13 10:42, Stas Malyshev wrote: >> Hi! >> >>> I just wanted to plug https://bugs.php.net/bug.php?id=65873 , since >>> it's been a month since I filed it and I've only had silence in >>> response, despite sending a private email to Stas about it. >> Could you check out this patch: https://github.com/php/php-src/pull/539 >> It should fix this scenario. > > I commented there. > >> I couldn't add a test though since only >> reproducing case is a 120M file and even for that special conditions are >> required. If you have better reproduction that could be used on test >> that would be most welcome. > > Well, reproduction requires that the file be bigger than the heap > pointer, so to reproduce reliably, you really need both a large file > and some control over the heap pointer. I think the best you could do > in a .phpt would be to use an ENV section to customise the allocator, > then craft a highly compressible TIFF file and gzinflate() it to a > temporary directory during test execution. But even that would be > system-dependent. In any case, we can live without a test for this fix, better to have it without test than no fix at all. But generating it at runtime during the test run sounds like a good solution. While I am not sure yet about a good way to craft a TIFF to fit the crash requirements, we have no API to get the heap size (not sure it is displayed by bintools). Cheers, -- Pierre @pierrejoye | http://www.libgd.org