]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9222702)
Fixed bug #77564: Memory leak in exif_process_IFD_TAG
authorBen Ramsey <ben@benramsey.com>
Sun, 10 Feb 2019 18:25:19 +0000 (12:25 -0600)
committerNikita Popov <nikita.ppv@gmail.com>
Tue, 12 Feb 2019 08:28:33 +0000 (09:28 +0100)
The memory leak occurs when more than one UserComment tag is present in
the EXIF data. It's still considered corrupt EXIF data, but this ensures
the memory is freed before trying to set to already allocated memory.

NEWS patch | blob | history
ext/exif/exif.c patch | blob | history
ext/exif/tests/bug77564/bug77564.jpg [new file with mode: 0644] patch | blob
ext/exif/tests/bug77564/bug77564.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index fa5200ce845abbe2d4a89a11f874493f16da6b3b..533b04e5ee743dcae6ace02d6a988796fc341259 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #77589 (Core dump using parse_ini_string with numeric sections).
     (Laruence)
 
+- Exif:
+  . Fixed bug #77564 (Memory leak in exif_process_IFD_TAG). (Ben Ramsey)
+
 - PDO_OCI:
   . Support Oracle Database tracing attributes ACTION, MODULE,
     CLIENT_INFO, and CLIENT_IDENTIFIER. (Cameron Porter)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index be02c9da4080964f4abb1c002652822eb3a9ab57..9c202196c66c3d5fe6fb8f959e3ea0d36036f1db 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3405,6 +3405,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
                                break;
 
                        case TAG_USERCOMMENT:
+                               EFREE_IF(ImageInfo->UserComment);
+                               ImageInfo->UserComment = NULL;
+                               EFREE_IF(ImageInfo->UserCommentEncoding);
+                               ImageInfo->UserCommentEncoding = NULL;
                                ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count);
                                break;
 
diff --git a/ext/exif/tests/bug77564/bug77564.jpg b/ext/exif/tests/bug77564/bug77564.jpg
new file mode 100644 (file)
index 0000000..868fffd
Binary files /dev/null and b/ext/exif/tests/bug77564/bug77564.jpg differ
diff --git a/ext/exif/tests/bug77564/bug77564.phpt b/ext/exif/tests/bug77564/bug77564.phpt
new file mode 100644 (file)
index 0000000..2f72b3c
--- /dev/null
+++ b/ext/exif/tests/bug77564/bug77564.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 77564 (Memory leak in exif_process_IFD_TAG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(exif_read_data(dirname(__FILE__) . '/bug77564.jpg'));
+?>
+DONE
+--EXPECTF--
+
+Warning: exif_read_data(bug77564.jpg): Illegal IFD offset in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): File structure corrupted in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): Invalid JPEG file in %sbug77564.php on line %d
+bool(false)
+DONE
Unnamed repository; edit this file 'description' to name the repository.