--- embedaddon/php/ext/exif/exif.c	2013/07/22 01:31:40	1.1.1.3
+++ embedaddon/php/ext/exif/exif.c	2014/06/15 20:03:43	1.1.1.5
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | PHP Version 5                                                        |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2013 The PHP Group                                |
+   | Copyright (c) 1997-2014 The PHP Group                                |
    +----------------------------------------------------------------------+
    | This source file is subject to version 3.01 of the PHP license,      |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: exif.c,v 1.1.1.3 2013/07/22 01:31:40 misho Exp $ */
+/* $Id: exif.c,v 1.1.1.5 2014/06/15 20:03:43 misho Exp $ */
 
 /*  ToDos
  *
@@ -138,7 +138,7 @@ const zend_function_entry exif_functions[] = {
 };
 /* }}} */
 
-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.1.1.3 2013/07/22 01:31:40 misho Exp $"
+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.1.1.5 2014/06/15 20:03:43 misho Exp $"
 
 /* {{{ PHP_MINFO_FUNCTION
  */
@@ -2595,7 +2595,7 @@ static int exif_process_string_raw(char **result, char
 
 /* {{{ exif_process_string
  * Copy a string in Exif header to a character string and return length of allocated buffer if any.
- * In contrast to exif_process_string this function does allways return a string buffer */
+ * In contrast to exif_process_string this function does always return a string buffer */
 static int exif_process_string(char **result, char *value, size_t byte_count TSRMLS_DC) {
 	/* we cannot use strlcpy - here the problem is that we cannot use strlen to
 	 * determin length of string and we cannot use strlcpy with len=byte_count+1
@@ -2643,6 +2643,7 @@ static int exif_process_user_comment(image_info_type *
 			} else {
 				decode = ImageInfo->decode_unicode_le;
 			}
+			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 			if (zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
@@ -2650,7 +2651,7 @@ static int exif_process_user_comment(image_info_type *
 					ByteCount,
 					zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 					zend_multibyte_fetch_encoding(decode TSRMLS_CC)
-					TSRMLS_CC) < 0) {
+					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2663,6 +2664,7 @@ static int exif_process_user_comment(image_info_type *
 			*pszEncoding = estrdup((const char*)szValuePtr);
 			szValuePtr = szValuePtr+8;
 			ByteCount -= 8;
+			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 			if (zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
@@ -2670,7 +2672,7 @@ static int exif_process_user_comment(image_info_type *
 					ByteCount,
 					zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
 					zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
-					TSRMLS_CC) < 0) {
+					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2700,8 +2702,8 @@ static int exif_process_user_comment(image_info_type *
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;	
-
-	/* Copy the comment */
+	
+	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value, 
 			&xp_field->size, 
@@ -2709,7 +2711,7 @@ static int exif_process_unicode(image_info_type *Image
 			ByteCount,
 			zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 			zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
-			TSRMLS_CC) < 0) {
+			TSRMLS_CC) == (size_t)-1) {
 		xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
 	}
 	return xp_field->size;
@@ -2850,7 +2852,12 @@ static int exif_process_IFD_TAG(image_info_type *Image
 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
 		value_ptr = offset_base+offset_val;
-		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+        /* 
+            dir_entry is ImageInfo->file.list[sn].data+2+i*12
+            offset_base is ImageInfo->file.list[sn].data-dir_offset 
+            dir_entry - offset_base is dir_offset+2+i*12
+        */
+		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
 			/* It is important to check for IMAGE_FILETYPE_TIFF
 			 * JPEG does not use absolute pointers instead its pointers are
 			 * relative to the start of the TIFF header in APP1 section. */