Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3:
  Fix bug #75785 by attempt switching endianness on Maker's Note

Author: nikic

NEWS

@@ -18,6 +18,10 @@ PHP                                                                        NEWS
   . Fixed bug #48585 (com_load_typelib holds reference, fails on second call).
     (cmb)
 
+- Exif:
+  . Fixed bug #75785 (Many errors from exif_read_data).
+    (Níckolas Daniel da Silva)
+
 - Gettext:
   . Fixed bug #70574 (Tests fail due to relying on Linux fallback behavior for
     gettext()). (Florian Engelhardt)

ext/exif/exif.c

@@ -64,7 +64,7 @@ typedef unsigned char uchar;
 
 #define EFREE_IF(ptr)	if (ptr) efree(ptr)
 
-#define MAX_IFD_NESTING_LEVEL 150
+#define MAX_IFD_NESTING_LEVEL 200
 
 /* {{{ arginfo */
 ZEND_BEGIN_ARG_INFO(arginfo_exif_tagname, 0)
@@ -3210,6 +3210,23 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 
 	NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
 
+	/* It can be that motorola_intel is wrongly mapped, let's try inverting it */
+	if ((2+NumDirEntries*12) > value_len) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Potentially invalid endianess, trying again with different endianness before imminent failure.");
+
+		ImageInfo->motorola_intel = ImageInfo->motorola_intel == 0 ? 1 : 0;
+		NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
+	}
+
+	if ((2+NumDirEntries*12) > value_len) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+		return FALSE;
+	}
+	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
+		return FALSE;
+	}
+
 	switch (maker_note->offset_mode) {
 		case MN_OFFSET_MAKER:
 			offset_base = value_ptr;
@@ -3240,15 +3257,6 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 			break;
 	}
 
-	if ((2+NumDirEntries*12) > value_len) {
-		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
-		return FALSE;
-	}
-	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
-		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
-		return FALSE;
-	}
-
 	for (de=0;de<NumDirEntries;de++) {
 		size_t offset = 2 + 12 * de;
 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,

ext/exif/tests/bug75785/P1000506.JPG

@@ -0,0 +1,17 @@
+--TEST--
+Bug #75785 fix corrupt EXIF header issues; Related to mixed endianness. (Thank you @Richard Matzinger for providing the test photo)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$mixedEndiannessFile = dirname(__FILE__).'/P1000506.JPG';
+$tags = exif_read_data($mixedEndiannessFile, 'EXIF', true, false);
+
+echo $tags['GPS']['GPSLatitude'][0] . PHP_EOL;
+echo $tags['GPS']['GPSLongitude'][0] . PHP_EOL;
+?>
+===DONE===
+--EXPECTF--
+38/1
+122/1
+===DONE===