Fixed bug #23102 (integer overflow in exif_iif_add_value()).

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 409f0855889dbe3591ac0ab3b1c474d593c3a0ed..f89670e9af1b7a72894507da6f107d8999ff6e11 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1529,6 +1529,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
        image_info_data  *info_data;
        image_info_data  *list;
 
+       if (length >= LONG_MAX) {
+               return;
+       }
+
        list = erealloc(image_info->info_list[section_index].list, (image_info->info_list[section_index].count+1)*sizeof(image_info_data));
        image_info->info_list[section_index].list = list;