From 2fc178cf448d8e1b95d1314e47eeef610729e0df Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 11 Jan 2015 00:51:05 -0800
Subject: Fix bug #68799: Free called on unitialized pointer

---
 ext/exif/exif.c              |   2 +-
 ext/exif/tests/bug68799.jpg  | Bin 0 -> 735 bytes
 ext/exif/tests/bug68799.phpt |  63 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 ext/exif/tests/bug68799.jpg
 create mode 100644 ext/exif/tests/bug68799.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 637ebf9289..7f95ff43ea 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;	
-	
+	xp_field->value = NULL;
 	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value, 
diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg
new file mode 100644
index 0000000000..acc326dbbf
Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ
diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
new file mode 100644
index 0000000000..b09f21ca7b
--- /dev/null
+++ b/ext/exif/tests/bug68799.phpt
@@ -0,0 +1,63 @@
+--TEST--
+Bug #68799 (Free called on unitialized pointer)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+/*
+* Pollute the heap. Helps trigger bug. Sometimes not needed.
+*/
+class A {
+    function __construct() {
+        $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
+        $this->a = $a . $a . $a . $a . $a . $a;
+    }
+};
+
+function doStuff ($limit) {
+
+    $a = new A;
+
+    $b = array();
+    for ($i = 0; $i < $limit; $i++) {
+        $b[$i] = clone $a;
+    }
+
+    unset($a);
+
+    gc_collect_cycles();
+}
+
+$iterations = 3;
+
+doStuff($iterations);
+doStuff($iterations);
+
+gc_collect_cycles();
+
+print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
+
+?>
+--EXPECTF--
+Array
+(
+    [FileName] => bug68799.jpg
+    [FileDateTime] => %d
+    [FileSize] => 735
+    [FileType] => 2
+    [MimeType] => image/jpeg
+    [SectionsFound] => ANY_TAG, IFD0, WINXP
+    [COMPUTED] => Array
+        (
+            [html] => width="1" height="1"
+            [Height] => 1
+            [Width] => 1
+            [IsColor] => 1
+            [ByteOrderMotorola] => 1
+        )
+
+    [XResolution] => 96/1
+    [YResolution] => 96/1
+    [ResolutionUnit] => 2
+    [Author] => 
+)
-- 
cgit v1.2.1