Merge branch 'PHP-7.2' into PHP-7.3

3 files changed, 15 insertions, 5 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index db9149922a..c5495ce681 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2297,14 +2297,11 @@ static void exif_iif_free(image_info_type *image_info, int section_index) {
 				efree(f);
 			}
 			switch(image_info->info_list[section_index].list[i].format) {
+				case TAG_FMT_UNDEFINED:
+				case TAG_FMT_STRING:
 				case TAG_FMT_SBYTE:
 				case TAG_FMT_BYTE:
-					/* in contrast to strings bytes do not need to allocate buffer for NULL if length==0 */
-					if (image_info->info_list[section_index].list[i].length<1)
-						break;
 				default:
-				case TAG_FMT_UNDEFINED:
-				case TAG_FMT_STRING:
 					if ((f=image_info->info_list[section_index].list[i].value.s) != NULL) {
 						efree(f);
 					}
@@ -3516,9 +3513,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_MAKE:
+				EFREE_IF(ImageInfo->make);
 				ImageInfo->make = estrndup(value_ptr, byte_count);
 				break;
 			case TAG_MODEL:
+				EFREE_IF(ImageInfo->model);
 				ImageInfo->model = estrndup(value_ptr, byte_count);
 				break;
 
diff --git a/ext/exif/tests/zero_length_makernote_leak.phpt b/ext/exif/tests/zero_length_makernote_leak.phpt
new file mode 100644
index 0000000000..37d0e0c573
--- /dev/null
+++ b/ext/exif/tests/zero_length_makernote_leak.phpt
@@ -0,0 +1,11 @@
+--TEST--
+OSS-Fuzz: Memory leak for zero-length MAKERNOTE
+--FILE--
+<?php
+
+@exif_read_data(__DIR__ . '/zero_length_makernote_leak.tiff');
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/exif/tests/zero_length_makernote_leak.tiff b/ext/exif/tests/zero_length_makernote_leak.tiff
new file mode 100644
index 0000000000..f1541b39b6
--- /dev/null
+++ b/ext/exif/tests/zero_length_makernote_leak.tiff