Fixed bug #79046

3 files changed, 38 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index d99c3d5a2d..bdf508eb43 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
 - CURL:
   . Fixed bug #79033 (Curl timeout error with specific url and post). (cmb)
 
+- Exif:
+  . Fixed bug #79046 (NaN to int cast undefined behavior in exif). (Nikita)
+
 - Fileinfo:
   . Fixed bug #74170 (locale information change after mime_content_type).
     (Sergei Turchanov)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 4f8b8af719..7bdf2acf1e 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1699,7 +1699,7 @@ static int exif_rewrite_tag_format_to_unsigned(int format)
 
 /* Use saturation for out of bounds values to avoid UB */
 static size_t float_to_size_t(float x) {
-	if (x < 0.0f) {
+	if (x < 0.0f || zend_isnan(x)) {
 		return 0;
 	} else if (x > (float) SIZE_MAX) {
 		return SIZE_MAX;
@@ -1709,7 +1709,7 @@ static size_t float_to_size_t(float x) {
 }
 
 static size_t double_to_size_t(double x) {
-	if (x < 0.0) {
+	if (x < 0.0 || zend_isnan(x)) {
 		return 0;
 	} else if (x > (double) SIZE_MAX) {
 		return SIZE_MAX;
diff --git a/ext/exif/tests/bug79046.phpt b/ext/exif/tests/bug79046.phpt
new file mode 100644
index 0000000000..83955084b0
--- /dev/null
+++ b/ext/exif/tests/bug79046.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #79046: NaN to int cast undefined behavior in exif
+--FILE--
+<?php
+var_dump(exif_read_data('data://image/tiff;base64,TU0AKgAAAA7//wAAANUAAQERAAsAAAABAAD4fwAAAA4A'));
+?>
+--EXPECT--
+array(8) {
+  ["FileDateTime"]=>
+  int(0)
+  ["FileSize"]=>
+  int(33)
+  ["FileType"]=>
+  int(8)
+  ["MimeType"]=>
+  string(10) "image/tiff"
+  ["SectionsFound"]=>
+  string(24) "ANY_TAG, IFD0, THUMBNAIL"
+  ["COMPUTED"]=>
+  array(2) {
+    ["IsColor"]=>
+    int(0)
+    ["ByteOrderMotorola"]=>
+    int(1)
+  }
+  ["StripOffsets"]=>
+  float(NAN)
+  ["THUMBNAIL"]=>
+  array(1) {
+    ["StripOffsets"]=>
+    float(NAN)
+  }
+}