We must not close the stream in exif_read_from_impl(), since it is the
responsibility of the (caller's) caller to do so, if it actually opened
the stream.
We simplify the reproduce script, which is actually about supplying a
path to a directory (opposed to a regular file), and use `.` instead of
`/` to also make it work on Windows.
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 7.2.8
+- EXIF:
+ . Fixed bug #76409 (heap use after free in _php_stream_free). (cmb)
+
07 Jun 2018, PHP 7.2.7
- Core:
zend_string *base;
if ((st.st_mode & S_IFMT) != S_IFREG) {
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Not a file");
- php_stream_close(ImageInfo->infile);
+ ImageInfo->infile = NULL;
return FALSE;
}
--- /dev/null
+--TEST--
+Bug #76409 (heap use after free in _php_stream_free)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data('.');
+?>
+===DONE===
+--EXPECTF--
+Warning: exif_read_data(): Not a file in %s on line %d
+===DONE===
projects / php / commitdiff