From 0701835c01e914fdaefe51ecf31c4821ed1554be Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Sat, 21 Sep 2019 20:38:24 +0200
Subject: [PATCH] Fix multiple leaks in exif_read_data()

This fixes two leaks related to duplicate tags, as well as a leak
of zero-length FMT_(S)BYTE with non-null value. This can show up
for MAKERNOTE values where the original length is non-zero, but
the first character is a null byte.
---
 ext/exif/exif.c                                |  11 +++++------
 ext/exif/tests/zero_length_makernote_leak.phpt |  11 +++++++++++
 ext/exif/tests/zero_length_makernote_leak.tiff | Bin 0 -> 164 bytes
 3 files changed, 16 insertions(+), 6 deletions(-)
 create mode 100644 ext/exif/tests/zero_length_makernote_leak.phpt
 create mode 100644 ext/exif/tests/zero_length_makernote_leak.tiff

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index f6eb26a9979..01b54012f46 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2322,14 +2322,11 @@ static void exif_iif_free(image_info_type *image_info, int section_index) {
 				efree(f);
 			}
 			switch(image_info->info_list[section_index].list[i].format) {
-				case TAG_FMT_SBYTE:
-				case TAG_FMT_BYTE:
-					/* in contrast to strings bytes do not need to allocate buffer for NULL if length==0 */
-					if (image_info->info_list[section_index].list[i].length<1)
-						break;
-				default:
 				case TAG_FMT_UNDEFINED:
 				case TAG_FMT_STRING:
+				case TAG_FMT_SBYTE:
+				case TAG_FMT_BYTE:
+				default:
 					if ((f=image_info->info_list[section_index].list[i].value.s) != NULL) {
 						efree(f);
 					}
@@ -3543,9 +3540,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_MAKE:
+				EFREE_IF(ImageInfo->make);
 				ImageInfo->make = estrndup(value_ptr, byte_count);
 				break;
 			case TAG_MODEL:
+				EFREE_IF(ImageInfo->model);
 				ImageInfo->model = estrndup(value_ptr, byte_count);
 				break;
 
diff --git a/ext/exif/tests/zero_length_makernote_leak.phpt b/ext/exif/tests/zero_length_makernote_leak.phpt
new file mode 100644
index 00000000000..37d0e0c5731
--- /dev/null
+++ b/ext/exif/tests/zero_length_makernote_leak.phpt
@@ -0,0 +1,11 @@
+--TEST--
+OSS-Fuzz: Memory leak for zero-length MAKERNOTE
+--FILE--
+<?php
+
+@exif_read_data(__DIR__ . '/zero_length_makernote_leak.tiff');
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/exif/tests/zero_length_makernote_leak.tiff b/ext/exif/tests/zero_length_makernote_leak.tiff
new file mode 100644
index 0000000000000000000000000000000000000000..f1541b39b62b76f624100fab37f8abe9ee60cef8
GIT binary patch
literal 164
zcmebD)MDUZU|`^6=wy&u$_!+EXJKH-Y-M1O0J80YxMq^W3kM*r0L1)^Ouxi|bT1Ht
z03kJxPd)t42vqlufr%lrogpv!KdT_fw*Lu?{~7;-OsE5je`OHtVNg&|VDQb%%g-rE
V)KT#E_w#giRPgom^Y;mH1OP=qB3J+b

literal 0
HcmV?d00001