--- embedaddon/php/ext/standard/iptc.c	2012/05/29 12:34:43	1.1.1.2
+++ embedaddon/php/ext/standard/iptc.c	2014/06/15 20:03:57	1.1.1.4
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | PHP Version 5                                                        |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2012 The PHP Group                                |
+   | Copyright (c) 1997-2014 The PHP Group                                |
    +----------------------------------------------------------------------+
    | This source file is subject to version 3.01 of the PHP license,      |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: iptc.c,v 1.1.1.2 2012/05/29 12:34:43 misho Exp $ */
+/* $Id: iptc.c,v 1.1.1.4 2014/06/15 20:03:57 misho Exp $ */
 
 /*
  * Functions to parse & compse IPTC data.
@@ -329,6 +329,9 @@ PHP_FUNCTION(iptcparse)
 		recnum = buffer[ inx++ ];
 
 		if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */
+			if((inx+6) >= str_len) {
+				break;
+			}
 			len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + 
 				  (((long) buffer[ inx + 4 ]) <<  8) + (((long) buffer[ inx + 5 ]));
 			inx += 6;
@@ -336,12 +339,12 @@ PHP_FUNCTION(iptcparse)
 			len = (((unsigned short) buffer[ inx ])<<8) | (unsigned short)buffer[ inx+1 ];
 			inx += 2;
 		}
-
-		snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
-
-		if ((len > str_len) || (inx + len) > str_len) {
+		
+		if ((len < 0) || (len > str_len) || (inx + len) > str_len) {
 			break;
 		}
+
+		snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
 
 		if (tagsfound == 0) { /* found the 1st tag - initialize the return array */
 			array_init(return_value);