From c4294440ffc4a59a1298292b76072e6759034a68 Mon Sep 17 00:00:00 2001
From: Ben Ramsey <ben@benramsey.com>
Date: Sun, 10 Feb 2019 12:25:19 -0600
Subject: [PATCH] Fixed bug #77564: Memory leak in exif_process_IFD_TAG

The memory leak occurs when more than one UserComment tag is present in
the EXIF data. It's still considered corrupt EXIF data, but this ensures
the memory is freed before trying to set to already allocated memory.
---
 NEWS                                  |   3 +++
 ext/exif/exif.c                       |   4 ++++
 ext/exif/tests/bug77564/bug77564.jpg  | Bin 0 -> 73 bytes
 ext/exif/tests/bug77564/bug77564.phpt |  18 ++++++++++++++++++
 4 files changed, 25 insertions(+)
 create mode 100644 ext/exif/tests/bug77564/bug77564.jpg
 create mode 100644 ext/exif/tests/bug77564/bug77564.phpt

diff --git a/NEWS b/NEWS
index fa5200ce84..533b04e5ee 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #77589 (Core dump using parse_ini_string with numeric sections).
     (Laruence)
 
+- Exif:
+  . Fixed bug #77564 (Memory leak in exif_process_IFD_TAG). (Ben Ramsey)
+
 - PDO_OCI:
   . Support Oracle Database tracing attributes ACTION, MODULE,
     CLIENT_INFO, and CLIENT_IDENTIFIER. (Cameron Porter)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index be02c9da40..9c202196c6 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3405,6 +3405,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_USERCOMMENT:
+				EFREE_IF(ImageInfo->UserComment);
+				ImageInfo->UserComment = NULL;
+				EFREE_IF(ImageInfo->UserCommentEncoding);
+				ImageInfo->UserCommentEncoding = NULL;
 				ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count);
 				break;
 
diff --git a/ext/exif/tests/bug77564/bug77564.jpg b/ext/exif/tests/bug77564/bug77564.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..868fffd1db11e4f2b3ee294724f0a20b3bc1d88c
GIT binary patch
literal 73
zcmex=;~|5aYei-n1B0(GgBAk=0}l{0FfdJOV_<~x)R5Rlp?;pu{w}TzjzECS1^_13
B4ix|Z

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug77564/bug77564.phpt b/ext/exif/tests/bug77564/bug77564.phpt
new file mode 100644
index 0000000000..2f72b3c9ac
--- /dev/null
+++ b/ext/exif/tests/bug77564/bug77564.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 77564 (Memory leak in exif_process_IFD_TAG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(exif_read_data(dirname(__FILE__) . '/bug77564.jpg'));
+?>
+DONE
+--EXPECTF--
+
+Warning: exif_read_data(bug77564.jpg): Illegal IFD offset in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): File structure corrupted in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): Invalid JPEG file in %sbug77564.php on line %d
+bool(false)
+DONE
-- 
2.40.0