diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-01-11 00:51:05 -0800 |
|---|---|---|
| committer | Julien Pauli <jpauli@php.net> | 2015-01-21 10:14:24 +0100 |
| commit | 55001de6d8c6ed2aada870a76de1e4b4558737bf (patch) | |
| tree | fad17e8e0a6cb819d94004d170aa6af3c4ca8550 | |
| parent | 6735df19b8a1c4095e2d6716fcd058582fa05930 (diff) | |
| download | php-git-55001de6d8c6ed2aada870a76de1e4b4558737bf.tar.gz | |
Fix bug #68799: Free called on unitialized pointer
| -rw-r--r-- | ext/exif/exif.c | 2 | ||||
| -rw-r--r-- | ext/exif/tests/bug68799.jpg | bin | 0 -> 735 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug68799.phpt | 63 |
3 files changed, 64 insertions, 1 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 637ebf9289..7f95ff43ea 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - + xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg Binary files differnew file mode 100644 index 0000000000..acc326dbbf --- /dev/null +++ b/ext/exif/tests/bug68799.jpg diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt new file mode 100644 index 0000000000..b09f21ca7b --- /dev/null +++ b/ext/exif/tests/bug68799.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #68799 (Free called on unitialized pointer) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +/* +* Pollute the heap. Helps trigger bug. Sometimes not needed. +*/ +class A { + function __construct() { + $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa'; + $this->a = $a . $a . $a . $a . $a . $a; + } +}; + +function doStuff ($limit) { + + $a = new A; + + $b = array(); + for ($i = 0; $i < $limit; $i++) { + $b[$i] = clone $a; + } + + unset($a); + + gc_collect_cycles(); +} + +$iterations = 3; + +doStuff($iterations); +doStuff($iterations); + +gc_collect_cycles(); + +print_r(exif_read_data(__DIR__.'/bug68799.jpg')); + +?> +--EXPECTF-- +Array +( + [FileName] => bug68799.jpg + [FileDateTime] => %d + [FileSize] => 735 + [FileType] => 2 + [MimeType] => image/jpeg + [SectionsFound] => ANY_TAG, IFD0, WINXP + [COMPUTED] => Array + ( + [html] => width="1" height="1" + [Height] => 1 + [Width] => 1 + [IsColor] => 1 + [ByteOrderMotorola] => 1 + ) + + [XResolution] => 96/1 + [YResolution] => 96/1 + [ResolutionUnit] => 2 + [Author] => +) |
