From 281a1754b9e8348065bb7aa12539346b09e6393e Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 12 Apr 2018 23:00:37 +0200
Subject: [PATCH] Fix #76164: exif_read_data zend_mm_heap corrupted

We must not release parsed parameters ourselves, since this is already
done by the engine.
---
 NEWS                         |  3 +++
 ext/exif/exif.c              |  2 --
 ext/exif/tests/bug76164.phpt | 16 ++++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 ext/exif/tests/bug76164.phpt

diff --git a/NEWS b/NEWS
index 9aa92bbaa1..c82db3257d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 7.2.6
 
+- EXIF:
+  . Fixed bug #76164 (exif_read_data zend_mm_heap corrupted). (cmb)
+
 - Session:
   . Fixed bug #74892 (Url Rewriting (trans_sid) not working on urls that start
     with "#"). (Andrew Nester)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index d9c591496b..43bd7a33c3 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -4457,13 +4457,11 @@ PHP_FUNCTION(exif_read_data)
 #ifdef EXIF_DEBUG
 		sections_str = exif_get_sectionlist(sections_needed);
 		if (!sections_str) {
-			zend_string_release(z_sections_needed);
 			RETURN_FALSE;
 		}
 		exif_error_docref(NULL EXIFERR_CC, &ImageInfo, E_NOTICE, "Sections needed: %s", sections_str[0] ? sections_str : "None");
 		EFREE_IF(sections_str);
 #endif
-		zend_string_release(z_sections_needed);
 	}
 
 	if (Z_TYPE_P(stream) == IS_RESOURCE) {
diff --git a/ext/exif/tests/bug76164.phpt b/ext/exif/tests/bug76164.phpt
new file mode 100644
index 0000000000..ea77e1d5e9
--- /dev/null
+++ b/ext/exif/tests/bug76164.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #76164 (exif_read_data zend_mm_heap corrupted)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+$var1 = 'nonexistentfile';
+$var2 = 2200000000;
+@exif_read_data($var1, $var2); // we're not interested in the warning, here
+$var2 = 1;
+?>
+===DONE===
+--EXPECT--
+===DONE===
-- 
2.50.0