diff -Nur php4-4.3.8/ext/exif/exif.c php4-4.3.8.new/ext/exif/exif.c
--- php4-4.3.8/ext/exif/exif.c	2005-04-14 07:21:55.012605368 +0000
+++ php4-4.3.8.new/ext/exif/exif.c	2005-04-14 07:23:00.186697400 +0000
@@ -85,6 +85,8 @@
 
 #define EFREE_IF(ptr)	if (ptr) efree(ptr)
 
+#define MAX_IFD_NESTING_LEVEL 250
+
 static unsigned char exif_thumbnail_force_ref[] = {2, BYREF_NONE, BYREF_FORCE_REST};
 
 /* {{{ exif_functions[]
@@ -1430,6 +1432,7 @@
 	/* for parsing */
 	int             read_thumbnail;
 	int             read_all;
+	int             ifd_nesting_level;
 	/* internal */
 	file_section_list 	file;
 } image_info_type;
@@ -2689,6 +2692,13 @@
 	size_t byte_count, offset_val, fpos, fgot;
 	xp_field_type *tmp_xp;
 
+	/* Protect against corrupt headers */
+	if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+		exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached");
+		return FALSE;
+	}
+	ImageInfo->ifd_nesting_level++;
+
 	tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
 	format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
 	components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
@@ -2702,6 +2712,11 @@
 
 	byte_count = components * php_tiff_bytes_per_format[format];
 
+	if ((ssize_t)byte_count < 0) {
+		exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+		return FALSE;
+	}
+
 	if (byte_count > 4) {
 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
@@ -3713,6 +3728,8 @@
 		}
 	}
 
+	ImageInfo->ifd_nesting_level = 0;
+
 	/* Scan the JPEG headers. */
 	ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);