|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2019-02-10 01:59 UTC] stas@php.net
-Type: Security
+Type: Bug
[2019-02-10 18:56 UTC] ramsey@php.net
[2019-02-11 22:17 UTC] ramsey@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: ramsey
[2019-02-12 08:29 UTC] nikic@php.net
[2019-02-12 08:29 UTC] nikic@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 22:00:02 2025 UTC |
Description: ------------ Version -------- PHP 7.4.0-dev (cli) PHP 7.3.1 Description ----------- This bug is caused by below lines of ext/exif/exif.c file's exif_process_IFD_TAG method. ... case TAG_USERCOMMENT: ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count); break; ... If the image has multiple exif comment tags, exif_process_IFD_TAG or exif_process_user_comment methods do not free already allocated memory for ImageInfo->UserComment and ImageInfo->UserCommentEncoding, before setting new values. Configure Line --------------- ./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear Test script: --------------- <?php $img = fopen("php://memory","r+"); fwrite($img,hex2bin("ffd8e100464578696600004d4d002a0000000c000000000002928600010000000c00000026928600010000000c00000032554e49434f44450041414141554e49434f44450041414141")); $s = exif_thumbnail($img); ?> Actual result: -------------- Valgrind Output --------------- Source line numbers are from PHP 7.3.1 export USE_ZEND_ALLOC=0 export ZEND_DONT_UNLOAD_MODULES=1 valgrind --leak-check=yes bin/php test.php =3566== 5 bytes in 1 blocks are definitely lost in loss record 1 of 2 ==3566== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3566== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3566== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3566== by 0x49FAE1: _safe_emalloc (zend_alloc.c:2556) ==3566== by 0x24CC5A: exif_process_string_raw (exif.c:2958) ==3566== by 0x24CE82: exif_process_user_comment (exif.c:3028) ==3566== by 0x24DE92: exif_process_IFD_TAG (exif.c:3381) ==3566== by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555) ==3566== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3566== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3566== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3566== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3566== ==3566== 8 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==3566== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3566== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3566== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3566== by 0x49FC96: _estrdup (zend_alloc.c:2593) ==3566== by 0x24CD8E: exif_process_user_comment (exif.c:2999) ==3566== by 0x24DE92: exif_process_IFD_TAG (exif.c:3381) ==3566== by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555) ==3566== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3566== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3566== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3566== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3566== by 0x250664: exif_read_from_impl (exif.c:4344)