Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)

(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)

4 files changed, 15 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 8a3e4a5b42..f5e2de857f 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? ????, PHP 7.3.8
 
 - EXIF:
+  . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
+    (CVE-2019-11042) (Stas)
   . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
     (CVE-2019-11041) (Stas)
 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index aa272c1d2b..3e005b5727 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3015,11 +3015,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
 			 * since we have no encoding support for the BOM yet we skip that.
 			 */
-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
 				decode = "UCS-2BE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
 				decode = "UCS-2LE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
diff --git a/ext/exif/tests/bug78256.jpg b/ext/exif/tests/bug78256.jpg
new file mode 100644
index 0000000000..56bf672629
--- /dev/null
+++ b/ext/exif/tests/bug78256.jpg
diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt
new file mode 100644
index 0000000000..37a3f1d824
--- /dev/null
+++ b/ext/exif/tests/bug78256.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78256 (heap-buffer-overflow on exif_process_user_comment)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
\ No newline at end of file