From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 16 Dec 2019 01:14:38 -0800
Subject: [PATCH 1/2] Fix bug #78793

---
 ext/exif/exif.c              |  5 +++--
 ext/exif/tests/bug78793.phpt | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 ext/exif/tests/bug78793.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index c0be05922fb..7fe055f381d 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	}
 
 	for (de=0;de<NumDirEntries;de++) {
-		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
-								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
+		size_t offset = 2 + 12 * de;
+		if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
+								  offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
 			return FALSE;
 		}
 	}
diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
new file mode 100644
index 00000000000..033f255ace0
--- /dev/null
+++ b/ext/exif/tests/bug78793.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
+--FILE--
+<?php
+$f = "ext/exif/tests/bug77950.tiff";
+for ($i = 0; $i < 10; $i++) {
+    @exif_read_data($f);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===

From 6d5cddabafaba158ed4c362054be7f097859a392 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 16 Dec 2019 10:03:43 -0800
Subject: [PATCH 2/2] Fix test

---
 ext/exif/tests/bug76557.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
index 0b48b792ea9..162e8d99a59 100644
--- a/ext/exif/tests/bug76557.phpt
+++ b/ext/exif/tests/bug76557.phpt
@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
 
 Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
 
-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
+Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d
 
 Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d