diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-19 14:16:36 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-19 14:19:31 +0200 |
commit | 3e139a465333d3b2bed4d23e42316ea952d96dd8 (patch) | |
tree | f395334ce9965082f90965000475e253944514e4 | |
parent | e3255a4f49f32e5fd936b9de4e77b594d1d4015a (diff) | |
download | php-git-3e139a465333d3b2bed4d23e42316ea952d96dd8.tar.gz |
Fix exif leak on duplicate copyright tags
-rw-r--r-- | ext/exif/exif.c | 4 | ||||
-rw-r--r-- | ext/exif/tests/duplicate_copyright_tag_leak.phpt | 12 | ||||
-rw-r--r-- | ext/exif/tests/duplicate_copyright_tag_leak.tiff | bin | 0 -> 9397 bytes |
3 files changed, 16 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 984c915639..25cec40df8 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3418,6 +3418,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha if (byte_count>1 && (length=php_strnlen(value_ptr, byte_count)) > 0) { if (length<byte_count-1) { /* When there are any characters after the first NUL */ + EFREE_IF(ImageInfo->CopyrightPhotographer); + EFREE_IF(ImageInfo->CopyrightEditor); + EFREE_IF(ImageInfo->Copyright); ImageInfo->CopyrightPhotographer = estrdup(value_ptr); ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); @@ -3425,6 +3428,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ } else { + EFREE_IF(ImageInfo->Copyright); ImageInfo->Copyright = estrndup(value_ptr, byte_count); } } diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.phpt b/ext/exif/tests/duplicate_copyright_tag_leak.phpt new file mode 100644 index 0000000000..c5d5019794 --- /dev/null +++ b/ext/exif/tests/duplicate_copyright_tag_leak.phpt @@ -0,0 +1,12 @@ +--TEST-- +OSS-Fuzz #17474: Memory leak on duplicate Copyright tags +--FILE-- +<?php + +// Only checking for an absence of leaks here. +@exif_read_data(__DIR__ . '/duplicate_copyright_tag_leak.tiff'); + +?> +===DONE=== +--EXPECTF-- +===DONE=== diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.tiff b/ext/exif/tests/duplicate_copyright_tag_leak.tiff Binary files differnew file mode 100644 index 0000000000..48c7fe61ff --- /dev/null +++ b/ext/exif/tests/duplicate_copyright_tag_leak.tiff |