From ee2ed0e40321be622cb1d3ac431b9643b84907e8 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Fri, 30 Sep 2016 00:15:48 +0200
Subject: [PATCH] JpegMetadataExtractor: Allow empty segments

A segment which consists only of the marker and length value
(equal to 2, the length of the value itself) appears to be
perfectly valid, and is ignored by every image viewer I tested.

Bug: T147015
Change-Id: I3124c587ccb1c457df25fd5bf7a47feab9312a38
---
 includes/media/JpegMetadataExtractor.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/includes/media/JpegMetadataExtractor.php b/includes/media/JpegMetadataExtractor.php
index 81722c6d62..9ad40977bc 100644
--- a/includes/media/JpegMetadataExtractor.php
+++ b/includes/media/JpegMetadataExtractor.php
@@ -155,7 +155,7 @@ class JpegMetadataExtractor {
 			} else {
 				// segment we don't care about, so skip
 				$size = wfUnpack( "nint", fread( $fh, 2 ), 2 );
-				if ( $size['int'] <= 2 ) {
+				if ( $size['int'] < 2 ) {
 					throw new MWException( "invalid marker size in jpeg" );
 				}
 				fseek( $fh, $size['int'] - 2, SEEK_CUR );
@@ -173,9 +173,13 @@ class JpegMetadataExtractor {
 	 */
 	private static function jpegExtractMarker( &$fh ) {
 		$size = wfUnpack( "nint", fread( $fh, 2 ), 2 );
-		if ( $size['int'] <= 2 ) {
+		if ( $size['int'] < 2 ) {
 			throw new MWException( "invalid marker size in jpeg" );
 		}
+		if ( $size['int'] === 2 ) {
+			// fread( ..., 0 ) generates a warning
+			return '';
+		}
 		$segment = fread( $fh, $size['int'] - 2 );
 		if ( strlen( $segment ) !== $size['int'] - 2 ) {
 			throw new MWException( "Segment shorter than expected" );
-- 
2.20.1