Fix exif leak on duplicate copyright tags

3 files changed, 16 insertions, 0 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 984c915639..25cec40df8 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3418,6 +3418,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				if (byte_count>1 && (length=php_strnlen(value_ptr, byte_count)) > 0) {
 					if (length<byte_count-1) {
 						/* When there are any characters after the first NUL */
+						EFREE_IF(ImageInfo->CopyrightPhotographer);
+						EFREE_IF(ImageInfo->CopyrightEditor);
+						EFREE_IF(ImageInfo->Copyright);
 						ImageInfo->CopyrightPhotographer  = estrdup(value_ptr);
 						ImageInfo->CopyrightEditor        = estrndup(value_ptr+length+1, byte_count-length-1);
 						spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);
@@ -3425,6 +3428,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 						/* but we are not supposed to change this                   */
 						/* keep in mind that image_info does not store editor value */
 					} else {
+						EFREE_IF(ImageInfo->Copyright);
 						ImageInfo->Copyright = estrndup(value_ptr, byte_count);
 					}
 				}
diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.phpt b/ext/exif/tests/duplicate_copyright_tag_leak.phpt
new file mode 100644
index 0000000000..c5d5019794
--- /dev/null
+++ b/ext/exif/tests/duplicate_copyright_tag_leak.phpt
@@ -0,0 +1,12 @@
+--TEST--
+OSS-Fuzz #17474: Memory leak on duplicate Copyright tags
+--FILE--
+<?php
+
+// Only checking for an absence of leaks here.
+@exif_read_data(__DIR__ . '/duplicate_copyright_tag_leak.tiff');
+
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.tiff b/ext/exif/tests/duplicate_copyright_tag_leak.tiff
new file mode 100644
index 0000000000..48c7fe61ff
--- /dev/null
+++ b/ext/exif/tests/duplicate_copyright_tag_leak.tiff