Fixed bug #77564: Memory leak in exif_process_IFD_TAG

The memory leak occurs when more than one UserComment tag is present in the EXIF data. It's still considered corrupt EXIF data, but this ensures the memory is freed before trying to set to already allocated memory.
author: Ben Ramsey <ben@benramsey.com> 2019-02-10 12:25:19 -0600
committer: Nikita Popov <nikita.ppv@gmail.com> 2019-02-12 09:28:33 +0100
commit: c4294440ffc4a59a1298292b76072e6759034a68 (patch)
tree: 75375e33dc8011c0228a234877387df88c4c902a
parent: 9222702633c63254b08466b322266b647ac3e905 (diff)
download: php-git-c4294440ffc4a59a1298292b76072e6759034a68.tar.gz
4 files changed, 25 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index fa5200ce84..533b04e5ee 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #77589 (Core dump using parse_ini_string with numeric sections).
     (Laruence)
 
+- Exif:
+  . Fixed bug #77564 (Memory leak in exif_process_IFD_TAG). (Ben Ramsey)
+
 - PDO_OCI:
   . Support Oracle Database tracing attributes ACTION, MODULE,
     CLIENT_INFO, and CLIENT_IDENTIFIER. (Cameron Porter)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index be02c9da40..9c202196c6 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3405,6 +3405,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_USERCOMMENT:
+				EFREE_IF(ImageInfo->UserComment);
+				ImageInfo->UserComment = NULL;
+				EFREE_IF(ImageInfo->UserCommentEncoding);
+				ImageInfo->UserCommentEncoding = NULL;
 				ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count);
 				break;
 
diff --git a/ext/exif/tests/bug77564/bug77564.jpg b/ext/exif/tests/bug77564/bug77564.jpg
new file mode 100644
index 0000000000..868fffd1db
--- /dev/null
+++ b/ext/exif/tests/bug77564/bug77564.jpg
diff --git a/ext/exif/tests/bug77564/bug77564.phpt b/ext/exif/tests/bug77564/bug77564.phpt
new file mode 100644
index 0000000000..2f72b3c9ac
--- /dev/null
+++ b/ext/exif/tests/bug77564/bug77564.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 77564 (Memory leak in exif_process_IFD_TAG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(exif_read_data(dirname(__FILE__) . '/bug77564.jpg'));
+?>
+DONE
+--EXPECTF--
+
+Warning: exif_read_data(bug77564.jpg): Illegal IFD offset in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): File structure corrupted in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): Invalid JPEG file in %sbug77564.php on line %d
+bool(false)
+DONE
author	Ben Ramsey <ben@benramsey.com>	2019-02-10 12:25:19 -0600
committer	Nikita Popov <nikita.ppv@gmail.com>	2019-02-12 09:28:33 +0100
commit	c4294440ffc4a59a1298292b76072e6759034a68 (patch)
tree	75375e33dc8011c0228a234877387df88c4c902a
parent	9222702633c63254b08466b322266b647ac3e905 (diff)
download	php-git-c4294440ffc4a59a1298292b76072e6759034a68.tar.gz