php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #68799
Patch bug68799fix revision 2015-01-11 08:54 UTC by stas@php.net

Patch bug68799fix for EXIF related Bug #68799

Patch version 2015-01-11 08:54 UTC

Return to Bug #68799 | Download this patch
Patch Revisions:

Developer: stas@php.net

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 637ebf9..7f95ff4 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;	
-	
+	xp_field->value = NULL;
 	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value, 
diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg
new file mode 100644
index 0000000..acc326d
Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ
diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
new file mode 100644
index 0000000..b09f21c
--- /dev/null
+++ b/ext/exif/tests/bug68799.phpt
@@ -0,0 +1,63 @@
+--TEST--
+Bug #68799 (Free called on unitialized pointer)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+/*
+* Pollute the heap. Helps trigger bug. Sometimes not needed.
+*/
+class A {
+    function __construct() {
+        $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
+        $this->a = $a . $a . $a . $a . $a . $a;
+    }
+};
+
+function doStuff ($limit) {
+
+    $a = new A;
+
+    $b = array();
+    for ($i = 0; $i < $limit; $i++) {
+        $b[$i] = clone $a;
+    }
+
+    unset($a);
+
+    gc_collect_cycles();
+}
+
+$iterations = 3;
+
+doStuff($iterations);
+doStuff($iterations);
+
+gc_collect_cycles();
+
+print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
+
+?>
+--EXPECTF--
+Array
+(
+    [FileName] => bug68799.jpg
+    [FileDateTime] => %d
+    [FileSize] => 735
+    [FileType] => 2
+    [MimeType] => image/jpeg
+    [SectionsFound] => ANY_TAG, IFD0, WINXP
+    [COMPUTED] => Array
+        (
+            [html] => width="1" height="1"
+            [Height] => 1
+            [Width] => 1
+            [IsColor] => 1
+            [ByteOrderMotorola] => 1
+        )
+
+    [XResolution] => 96/1
+    [YResolution] => 96/1
+    [ResolutionUnit] => 2
+    [Author] => 
+)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Sep 21 13:01:27 2019 UTC