]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e3255a4)
Fix exif leak on duplicate copyright tags
authorNikita Popov <nikita.ppv@gmail.com>
Thu, 19 Sep 2019 12:16:36 +0000 (14:16 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Thu, 19 Sep 2019 12:19:31 +0000 (14:19 +0200)
ext/exif/exif.c patch | blob | history
ext/exif/tests/duplicate_copyright_tag_leak.phpt [new file with mode: 0644] patch | blob
ext/exif/tests/duplicate_copyright_tag_leak.tiff [new file with mode: 0644] patch | blob

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 984c9156391838d9ddb1867469aaac715504f21b..25cec40df88970a5fe8430dfcc73c488f7103ad4 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3418,6 +3418,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                                if (byte_count>1 && (length=php_strnlen(value_ptr, byte_count)) > 0) {
                                        if (length<byte_count-1) {
                                                /* When there are any characters after the first NUL */
+                                               EFREE_IF(ImageInfo->CopyrightPhotographer);
+                                               EFREE_IF(ImageInfo->CopyrightEditor);
+                                               EFREE_IF(ImageInfo->Copyright);
                                                ImageInfo->CopyrightPhotographer  = estrdup(value_ptr);
                                                ImageInfo->CopyrightEditor        = estrndup(value_ptr+length+1, byte_count-length-1);
                                                spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);
@@ -3425,6 +3428,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                                                /* but we are not supposed to change this                   */
                                                /* keep in mind that image_info does not store editor value */
                                        } else {
+                                               EFREE_IF(ImageInfo->Copyright);
                                                ImageInfo->Copyright = estrndup(value_ptr, byte_count);
                                        }
                                }
diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.phpt b/ext/exif/tests/duplicate_copyright_tag_leak.phpt
new file mode 100644 (file)
index 0000000..c5d5019
--- /dev/null
+++ b/ext/exif/tests/duplicate_copyright_tag_leak.phpt
@@ -0,0 +1,12 @@
+--TEST--
+OSS-Fuzz #17474: Memory leak on duplicate Copyright tags
+--FILE--
+<?php
+
+// Only checking for an absence of leaks here.
+@exif_read_data(__DIR__ . '/duplicate_copyright_tag_leak.tiff');
+
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.tiff b/ext/exif/tests/duplicate_copyright_tag_leak.tiff
new file mode 100644 (file)
index 0000000..48c7fe6
Binary files /dev/null and b/ext/exif/tests/duplicate_copyright_tag_leak.tiff differ
Unnamed repository; edit this file 'description' to name the repository.