Fix multiple leaks in exif_read_data()

This fixes two leaks related to duplicate tags, as well as a leak
of zero-length FMT_(S)BYTE with non-null value. This can show up
for MAKERNOTE values where the original length is non-zero, but
the first character is a null byte.

1 files changed, 4 insertions, 5 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index f6eb26a997..01b54012f4 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2322,14 +2322,11 @@ static void exif_iif_free(image_info_type *image_info, int section_index) {
 				efree(f);
 			}
 			switch(image_info->info_list[section_index].list[i].format) {
+				case TAG_FMT_UNDEFINED:
+				case TAG_FMT_STRING:
 				case TAG_FMT_SBYTE:
 				case TAG_FMT_BYTE:
-					/* in contrast to strings bytes do not need to allocate buffer for NULL if length==0 */
-					if (image_info->info_list[section_index].list[i].length<1)
-						break;
 				default:
-				case TAG_FMT_UNDEFINED:
-				case TAG_FMT_STRING:
 					if ((f=image_info->info_list[section_index].list[i].value.s) != NULL) {
 						efree(f);
 					}
@@ -3543,9 +3540,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_MAKE:
+				EFREE_IF(ImageInfo->make);
 				ImageInfo->make = estrndup(value_ptr, byte_count);
 				break;
 			case TAG_MODEL:
+				EFREE_IF(ImageInfo->model);
 				ImageInfo->model = estrndup(value_ptr, byte_count);
 				break;