Fix #76164: exif_read_data zend_mm_heap corrupted

We must not release parsed parameters ourselves, since this is already
done by the engine.

3 files changed, 19 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 9aa92bbaa1..c82db3257d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 7.2.6
 
+- EXIF:
+  . Fixed bug #76164 (exif_read_data zend_mm_heap corrupted). (cmb)
+
 - Session:
   . Fixed bug #74892 (Url Rewriting (trans_sid) not working on urls that start
     with "#"). (Andrew Nester)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index d9c591496b..43bd7a33c3 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -4457,13 +4457,11 @@ PHP_FUNCTION(exif_read_data)
 #ifdef EXIF_DEBUG
 		sections_str = exif_get_sectionlist(sections_needed);
 		if (!sections_str) {
-			zend_string_release(z_sections_needed);
 			RETURN_FALSE;
 		}
 		exif_error_docref(NULL EXIFERR_CC, &ImageInfo, E_NOTICE, "Sections needed: %s", sections_str[0] ? sections_str : "None");
 		EFREE_IF(sections_str);
 #endif
-		zend_string_release(z_sections_needed);
 	}
 
 	if (Z_TYPE_P(stream) == IS_RESOURCE) {
diff --git a/ext/exif/tests/bug76164.phpt b/ext/exif/tests/bug76164.phpt
new file mode 100644
index 0000000000..ea77e1d5e9
--- /dev/null
+++ b/ext/exif/tests/bug76164.phpt
@@ -0,0 +1,16 @@
+--TEST--

+Bug #76164 (exif_read_data zend_mm_heap corrupted)

+--SKIPIF--

+<?php

+if (!extension_loaded('exif')) die('skip exif extension not available');

+?>

+--FILE--

+<?php

+$var1 = 'nonexistentfile';

+$var2 = 2200000000;

+@exif_read_data($var1, $var2); // we're not interested in the warning, here

+$var2 = 1;

+?>

+===DONE===

+--EXPECT--

+===DONE===