diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-21 20:38:24 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-21 20:40:03 +0200 |
commit | 0701835c01e914fdaefe51ecf31c4821ed1554be (patch) | |
tree | b69bdbf412874e51b0cce48f6d7bd99feb9d4b62 | |
parent | 0d6c2448a7b0276c2e72249aa1efb4fcffdc96d8 (diff) | |
download | php-git-0701835c01e914fdaefe51ecf31c4821ed1554be.tar.gz |
Fix multiple leaks in exif_read_data()
This fixes two leaks related to duplicate tags, as well as a leak
of zero-length FMT_(S)BYTE with non-null value. This can show up
for MAKERNOTE values where the original length is non-zero, but
the first character is a null byte.
-rw-r--r-- | ext/exif/exif.c | 9 | ||||
-rw-r--r-- | ext/exif/tests/zero_length_makernote_leak.phpt | 11 | ||||
-rw-r--r-- | ext/exif/tests/zero_length_makernote_leak.tiff | bin | 0 -> 164 bytes |
3 files changed, 15 insertions, 5 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f6eb26a997..01b54012f4 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2322,14 +2322,11 @@ static void exif_iif_free(image_info_type *image_info, int section_index) { efree(f); } switch(image_info->info_list[section_index].list[i].format) { + case TAG_FMT_UNDEFINED: + case TAG_FMT_STRING: case TAG_FMT_SBYTE: case TAG_FMT_BYTE: - /* in contrast to strings bytes do not need to allocate buffer for NULL if length==0 */ - if (image_info->info_list[section_index].list[i].length<1) - break; default: - case TAG_FMT_UNDEFINED: - case TAG_FMT_STRING: if ((f=image_info->info_list[section_index].list[i].value.s) != NULL) { efree(f); } @@ -3543,9 +3540,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha break; case TAG_MAKE: + EFREE_IF(ImageInfo->make); ImageInfo->make = estrndup(value_ptr, byte_count); break; case TAG_MODEL: + EFREE_IF(ImageInfo->model); ImageInfo->model = estrndup(value_ptr, byte_count); break; diff --git a/ext/exif/tests/zero_length_makernote_leak.phpt b/ext/exif/tests/zero_length_makernote_leak.phpt new file mode 100644 index 0000000000..37d0e0c573 --- /dev/null +++ b/ext/exif/tests/zero_length_makernote_leak.phpt @@ -0,0 +1,11 @@ +--TEST-- +OSS-Fuzz: Memory leak for zero-length MAKERNOTE +--FILE-- +<?php + +@exif_read_data(__DIR__ . '/zero_length_makernote_leak.tiff'); + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/exif/tests/zero_length_makernote_leak.tiff b/ext/exif/tests/zero_length_makernote_leak.tiff Binary files differnew file mode 100644 index 0000000000..f1541b39b6 --- /dev/null +++ b/ext/exif/tests/zero_length_makernote_leak.tiff |