Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3:
  Fix #77919: Potential UAF in Phar RSHUTDOWN
  Update NEWS
  Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
  Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)

1 files changed, 3 insertions, 3 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 440877a9b7..cd012f4883 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2971,11 +2971,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
 			 * since we have no encoding support for the BOM yet we skip that.
 			 */
-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
 				decode = "UCS-2BE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
 				decode = "UCS-2LE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
@@ -3848,7 +3848,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
 	size_t          length=2, pos=0;
 	jpeg_sof_info   sof_info;
 
-	if (!data) {
+	if (!data || ImageInfo->Thumbnail.size < 4) {
 		return FALSE; /* nothing to do here */
 	}
 	if (memcmp(data, "\xFF\xD8\xFF", 3)) {