--- embedaddon/php/ext/exif/exif.c	2012/05/29 12:34:37	1.1.1.2
+++ embedaddon/php/ext/exif/exif.c	2013/10/14 08:02:11	1.1.1.4
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | PHP Version 5                                                        |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2012 The PHP Group                                |
+   | Copyright (c) 1997-2013 The PHP Group                                |
    +----------------------------------------------------------------------+
    | This source file is subject to version 3.01 of the PHP license,      |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: exif.c,v 1.1.1.2 2012/05/29 12:34:37 misho Exp $ */
+/* $Id: exif.c,v 1.1.1.4 2013/10/14 08:02:11 misho Exp $ */
 
 /*  ToDos
  *
@@ -138,7 +138,7 @@ const zend_function_entry exif_functions[] = {
 };
 /* }}} */
 
-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.1.1.2 2012/05/29 12:34:37 misho Exp $"
+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.1.1.4 2013/10/14 08:02:11 misho Exp $"
 
 /* {{{ PHP_MINFO_FUNCTION
  */
@@ -2595,7 +2595,7 @@ static int exif_process_string_raw(char **result, char
 
 /* {{{ exif_process_string
  * Copy a string in Exif header to a character string and return length of allocated buffer if any.
- * In contrast to exif_process_string this function does allways return a string buffer */
+ * In contrast to exif_process_string this function does always return a string buffer */
 static int exif_process_string(char **result, char *value, size_t byte_count TSRMLS_DC) {
 	/* we cannot use strlcpy - here the problem is that we cannot use strlen to
 	 * determin length of string and we cannot use strlcpy with len=byte_count+1
@@ -3254,7 +3254,7 @@ static void exif_process_APP12(image_info_type *ImageI
 	if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
 		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
 		if (length > 2+l1+1) {
-			l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1);
+			l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
 			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
 		}
 	}
@@ -3404,6 +3404,10 @@ static int exif_scan_JPEG_header(image_info_type *Imag
 			case M_SOF13:
 			case M_SOF14:
 			case M_SOF15:
+				if ((itemlen - 2) < 6) {
+					return FALSE;
+				}
+		
 				exif_process_SOFn(Data, marker, &sof_info);
 				ImageInfo->Width  = sof_info.width;
 				ImageInfo->Height = sof_info.height;