diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-22 12:10:17 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-22 12:10:17 +0200 |
commit | f989a4cd44f1bbabc6cdba9af1477125a8ba2f56 (patch) | |
tree | 650b5464e4478d7a6348bc583c957d630cd3c949 /ext | |
parent | 0701835c01e914fdaefe51ecf31c4821ed1554be (diff) | |
download | php-git-f989a4cd44f1bbabc6cdba9af1477125a8ba2f56.tar.gz |
Fix leak of temporary buffer during exif tag reading
Diffstat (limited to 'ext')
-rw-r--r-- | ext/exif/exif.c | 2 | ||||
-rw-r--r-- | ext/exif/tests/temporary_buffer_leak.jpg | bin | 0 -> 46 bytes | |||
-rw-r--r-- | ext/exif/tests/temporary_buffer_leak.phpt | 10 |
3 files changed, 12 insertions, 0 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 01b54012f4..9b4adffb43 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3588,9 +3588,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha Subdir_start = offset_base + php_ifd_get32u(value_ptr, ImageInfo->motorola_intel); if (Subdir_start < offset_base || Subdir_start > offset_base+IFDlength) { exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD Pointer"); + EFREE_IF(outside); return FALSE; } if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) { + EFREE_IF(outside); return FALSE; } #ifdef EXIF_DEBUG diff --git a/ext/exif/tests/temporary_buffer_leak.jpg b/ext/exif/tests/temporary_buffer_leak.jpg Binary files differnew file mode 100644 index 0000000000..c9f7ce821f --- /dev/null +++ b/ext/exif/tests/temporary_buffer_leak.jpg diff --git a/ext/exif/tests/temporary_buffer_leak.phpt b/ext/exif/tests/temporary_buffer_leak.phpt new file mode 100644 index 0000000000..cf136dd648 --- /dev/null +++ b/ext/exif/tests/temporary_buffer_leak.phpt @@ -0,0 +1,10 @@ +--TEST-- +OSS-Fuzz: Temporary buffer leak in tag reading +--FILE-- +<?php + +var_dump(@exif_read_data(__DIR__ . '/temporary_buffer_leak.jpg')); + +?> +--EXPECT-- +bool(false) |