Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0:
  Fix tsrm_ls
  Fix #76129 - remove more potential unfiltered outputs for phar
  Fix test
  Fix bug #76248 - Malicious LDAP-Server Response causes Crash
  Fix bug #76249 - fail on invalid sequences
  Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
  Fix bug #75981: prevent reading beyond buffer start

4 files changed, 21 insertions, 1 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 23479dadd2..b30bcb468f 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1704,7 +1704,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
 		case TAG_FMT_UNDEFINED:
 			if (value) {
 				if (tag == TAG_MAKER_NOTE) {
-					length = MIN(length, strlen(value));
+					length = (int) php_strnlen(value, length);
 				}
 
 				/* do not recompute length here */
diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt
new file mode 100644
index 0000000000..9c826af629
--- /dev/null
+++ b/ext/exif/tests/bug76130.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value)
+--DESCRIPTION--
+This test is meant to exhibit memory issues with the `-m` option. Since a lot of
+notices and warnings are to be expected anyway, we suppress these, since the are
+not relevant for this test.
+--INI--
+error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76130_1.jpg');
+exif_read_data(__DIR__ . '/bug76130_2.jpg');
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg
new file mode 100644
index 0000000000..e063e46d22
--- /dev/null
+++ b/ext/exif/tests/bug76130_1.jpg
diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg
new file mode 100644
index 0000000000..a9e79dca5c
--- /dev/null
+++ b/ext/exif/tests/bug76130_2.jpg