From 3e139a465333d3b2bed4d23e42316ea952d96dd8 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 19 Sep 2019 14:16:36 +0200 Subject: [PATCH] Fix exif leak on duplicate copyright tags --- ext/exif/exif.c | 4 ++++ ext/exif/tests/duplicate_copyright_tag_leak.phpt | 12 ++++++++++++ ext/exif/tests/duplicate_copyright_tag_leak.tiff | Bin 0 -> 9397 bytes 3 files changed, 16 insertions(+) create mode 100644 ext/exif/tests/duplicate_copyright_tag_leak.phpt create mode 100644 ext/exif/tests/duplicate_copyright_tag_leak.tiff diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 984c9156391..25cec40df88 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3418,6 +3418,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha if (byte_count>1 && (length=php_strnlen(value_ptr, byte_count)) > 0) { if (lengthCopyrightPhotographer); + EFREE_IF(ImageInfo->CopyrightEditor); + EFREE_IF(ImageInfo->Copyright); ImageInfo->CopyrightPhotographer = estrdup(value_ptr); ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); @@ -3425,6 +3428,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ } else { + EFREE_IF(ImageInfo->Copyright); ImageInfo->Copyright = estrndup(value_ptr, byte_count); } } diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.phpt b/ext/exif/tests/duplicate_copyright_tag_leak.phpt new file mode 100644 index 00000000000..c5d50197941 --- /dev/null +++ b/ext/exif/tests/duplicate_copyright_tag_leak.phpt @@ -0,0 +1,12 @@ +--TEST-- +OSS-Fuzz #17474: Memory leak on duplicate Copyright tags +--FILE-- + +===DONE=== +--EXPECTF-- +===DONE=== diff --git a/ext/exif/tests/duplicate_copyright_tag_leak.tiff b/ext/exif/tests/duplicate_copyright_tag_leak.tiff new file mode 100644 index 0000000000000000000000000000000000000000..48c7fe61ff0cd580ac582899205291206801f23f GIT binary patch literal 9397 zcmeHNPiP!v6#sp**>pFxaW=FBL}aNom6+09O%pAMiMGgUce{rkDn)3EU0KjXu;3rM z#HJz9>z=gOLoeb%5cIAG@ho`CNeKnpLuduHEsf^$_vX*eOm=3oSvPeH^H^ry_uiZD zz3xD}_*Xca|3X>X20PmO8!dK$GToB1vt{12QlM6Ud*fo+tl5 zfj5qIm|jD$d%>pGBJqz9D?o6%9v2&Yt7CKRS(dfHb$czWm89i9r?M^_oH5u;*GN z*u5Y0D=8ITnnt!*@Y4i;=sv(koq_hnK&!omyGd>7`~T+%v-06EqG=v|zgkHkoYyPV zlLyMP@13ijd*i^1A2i!kH_e=xBP1o55d_}~KrLYTQN2P34%BK>mw;iFwx}f51XQg? z4lfL+u>Jo?#tj2_s#JLOcnOJwa2@!==Jw<*VT%&s zn!`kUjTXD+h!u%&&91kMU34oKeY*U%>$1y%;N<%KQ5T86dy&JFX%RO9LB!YCOYk)< zG+>f6rlut#_85pwP6*sa%U0X!``F9hQckiBsDx$JPu~NlW)BafRxKNOc}1D~pN3d1 zQi=&if^Wx6R6OhaL5ku2^N*pR$J` zLmF0+Z0Xb1wZ-LjfEVv^PF)v(ix&veI(pe{|KqXE^+S;Y@9`D&qB#@RwG}fBwc7;spW-N?d+N5SCMKh^MIaRZbnb!qo zW0HB1p2h?>)K#{u+^gs)29G!-4{NrgQ%cK>F3kcWD~TIwi7iqIcBqJ+Am}YoM2-<@NH9Jn2at&3a!UB#<`j??PCp2z>nEg(+Rt#o3t^Io_(N zVIFhwx0T~FS2q9b`1r)+_;_yenaSL9hYsZ@^5c!8wWbt7;-sT8_(tw)wR9JA7R+yi z&HcATjE^a{l3Tx?=)KC_F9LX7YFGPcrC!Up=o&C4r7IFFn49~oQt?e!ILbr{_;pCW z6e-DJue~|$>aPg$y@_G;X$6-#m8WzHFErBiJM!@fH;<-v3sTO!IW;o3aOQC3CN;7C O`W)o2Q9xbZfqwzYCVbui literal 0 HcmV?d00001