diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-22 10:26:57 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-22 10:26:57 +0200 |
commit | 623d89799802954fa0b91d1603fd653ccc2401fd (patch) | |
tree | ad01cec844375c2472874ef6928fafdd99e0d646 | |
parent | 33e556fab4cd71de1c25bad29dcc72ae475b76dc (diff) | |
parent | 0701835c01e914fdaefe51ecf31c4821ed1554be (diff) | |
download | php-git-623d89799802954fa0b91d1603fd653ccc2401fd.tar.gz |
Merge branch 'PHP-7.2' into PHP-7.3
-rw-r--r-- | ext/exif/exif.c | 9 | ||||
-rw-r--r-- | ext/exif/tests/zero_length_makernote_leak.phpt | 11 | ||||
-rw-r--r-- | ext/exif/tests/zero_length_makernote_leak.tiff | bin | 0 -> 164 bytes |
3 files changed, 15 insertions, 5 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index db9149922a..c5495ce681 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2297,14 +2297,11 @@ static void exif_iif_free(image_info_type *image_info, int section_index) { efree(f); } switch(image_info->info_list[section_index].list[i].format) { + case TAG_FMT_UNDEFINED: + case TAG_FMT_STRING: case TAG_FMT_SBYTE: case TAG_FMT_BYTE: - /* in contrast to strings bytes do not need to allocate buffer for NULL if length==0 */ - if (image_info->info_list[section_index].list[i].length<1) - break; default: - case TAG_FMT_UNDEFINED: - case TAG_FMT_STRING: if ((f=image_info->info_list[section_index].list[i].value.s) != NULL) { efree(f); } @@ -3516,9 +3513,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha break; case TAG_MAKE: + EFREE_IF(ImageInfo->make); ImageInfo->make = estrndup(value_ptr, byte_count); break; case TAG_MODEL: + EFREE_IF(ImageInfo->model); ImageInfo->model = estrndup(value_ptr, byte_count); break; diff --git a/ext/exif/tests/zero_length_makernote_leak.phpt b/ext/exif/tests/zero_length_makernote_leak.phpt new file mode 100644 index 0000000000..37d0e0c573 --- /dev/null +++ b/ext/exif/tests/zero_length_makernote_leak.phpt @@ -0,0 +1,11 @@ +--TEST-- +OSS-Fuzz: Memory leak for zero-length MAKERNOTE +--FILE-- +<?php + +@exif_read_data(__DIR__ . '/zero_length_makernote_leak.tiff'); + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/exif/tests/zero_length_makernote_leak.tiff b/ext/exif/tests/zero_length_makernote_leak.tiff Binary files differnew file mode 100644 index 0000000000..f1541b39b6 --- /dev/null +++ b/ext/exif/tests/zero_length_makernote_leak.tiff |