From 56af25cc1c7cde3fd7424eceda38d13ced47f99c Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 14 Oct 2025 22:23:09 +0200
Subject: [PATCH] exif: Fix possible memory leak when tag is empty

When `!value_ptr` is handled, memory is allocated at line 3314.
At later exit paths, `outside` (pointing to `value_ptr`) is freed, but
not when exiting via the `REQUIRE_NON_EMPTY` macro.

Closes GH-20169.
---
 NEWS            | 3 +++
 ext/exif/exif.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index 9c0be9d18a3..de913357bae 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,9 @@ PHP                                                                        NEWS
   . Partially fixed bug GH-16317 (DOM classes do not allow
     __debugInfo() overrides to work). (nielsdos)
 
+- Exif:
+  . Fix possible memory leak when tag is empty. (nielsdos)
+
 - FPM:
   . Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel
     execution). (Jakub Zelenka, txuna)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index edae9dc0f73..e6be4a1338d 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3253,6 +3253,7 @@ static bool exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * val
 
 #define REQUIRE_NON_EMPTY() do { \
 	if (byte_count == 0) { \
+		EFREE_IF(outside); \
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Cannot be empty", tag, exif_get_tagname_debug(tag, tag_table)); \
 		return false; \
 	} \