Merge branch 'PHP-7.2' into PHP-7.3

3 files changed, 12 insertions, 0 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index c5495ce681..2804807e0b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3561,9 +3561,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 					Subdir_start = offset_base + php_ifd_get32u(value_ptr, ImageInfo->motorola_intel);
 					if (Subdir_start < offset_base || Subdir_start > offset_base+IFDlength) {
 						exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD Pointer");
+						EFREE_IF(outside);
 						return FALSE;
 					}
 					if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) {
+						EFREE_IF(outside);
 						return FALSE;
 					}
 #ifdef EXIF_DEBUG
diff --git a/ext/exif/tests/temporary_buffer_leak.jpg b/ext/exif/tests/temporary_buffer_leak.jpg
new file mode 100644
index 0000000000..c9f7ce821f
--- /dev/null
+++ b/ext/exif/tests/temporary_buffer_leak.jpg
diff --git a/ext/exif/tests/temporary_buffer_leak.phpt b/ext/exif/tests/temporary_buffer_leak.phpt
new file mode 100644
index 0000000000..cf136dd648
--- /dev/null
+++ b/ext/exif/tests/temporary_buffer_leak.phpt
@@ -0,0 +1,10 @@
+--TEST--
+OSS-Fuzz: Temporary buffer leak in tag reading
+--FILE--
+<?php
+
+var_dump(@exif_read_data(__DIR__ . '/temporary_buffer_leak.jpg'));
+
+?>
+--EXPECT--
+bool(false)