From 44035de79f5b9646064d9bdd0329a946b0c5372a Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 17:33:44 -0700
Subject: [PATCH 1/8] Fix bug #68027 - fix date parsing in XMLRPC lib

---
 ext/xmlrpc/libxmlrpc/xmlrpc.c  | 13 ++++++----
 ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug68027.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index ce70c2afd90..b766a5495a4 100644
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
    tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+       return -1;
+   }
 
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }
diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
new file mode 100644
index 00000000000..a5c96f1cf29
--- /dev/null
+++ b/ext/xmlrpc/tests/bug68027.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #68027 (buffer overflow in mkgmtime() function)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+
+$d = '6-01-01 20:00:00';
+xmlrpc_set_type($d, 'datetime');
+var_dump($d);
+$datetime = "2001-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+$datetime = "34770-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(stdClass)#1 (3) {
+  ["scalar"]=>
+  string(16) "6-01-01 20:00:00"
+  ["xmlrpc_type"]=>
+  string(8) "datetime"
+  ["timestamp"]=>
+  int(%d)
+}
+stdClass Object
+(
+    [scalar] => 2001-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %s
+)
+stdClass Object
+(
+    [scalar] => 34770-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %d
+)
+Done

From 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 14:19:31 -0700
Subject: [PATCH 2/8] Fixed bug #68044: Integer overflow in unserialize()
 (32-bits only)

---
 ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
 ext/standard/var_unserializer.c            |  4 ++--
 ext/standard/var_unserializer.re           |  2 +-
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/serialize/bug68044.phpt

diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
new file mode 100644
index 00000000000..031e44e1498
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68044.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68044 Integer overflow in unserialize() (32-bits only)
+--FILE--
+<?php
+	echo unserialize('C:3:"XYZ":18446744075857035259:{}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
+
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 657051f6f72..8129da3d825 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */
+/* Generated by re2c 0.13.5 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 130750805f4..6de158392e1 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}

From d1e030db02f402efebfe2976482dd7e7ebe2956f Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 17:53:49 -0700
Subject: [PATCH 3/8] Fix bug #68089 - do not accept options with embedded \0

Conflicts:
	ext/curl/interface.c
---
 ext/curl/interface.c         |  5 +++++
 ext/curl/tests/bug68089.phpt | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 ext/curl/tests/bug68089.phpt

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 765918cc354..eab2edf663b 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -169,6 +169,11 @@ static int php_curl_option_str(php_curl *ch, long option, const char *str, const
 {
 	CURLcode error = CURLE_OK;
 
+	if (strlen(str) != len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)");
+		return 0;
+	}
+
 #if LIBCURL_VERSION_NUM >= 0x071100
 	if (make_copy) {
 #endif
diff --git a/ext/curl/tests/bug68089.phpt b/ext/curl/tests/bug68089.phpt
new file mode 100644
index 00000000000..3bd5889709b
--- /dev/null
+++ b/ext/curl/tests/bug68089.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #68089 (NULL byte injection - cURL lib)
+--SKIPIF--
+<?php 
+include 'skipif.inc';
+
+?>
+--FILE--
+<?php
+$url = "file:///etc/passwd\0http://google.com";
+$ch = curl_init();
+var_dump(curl_setopt($ch, CURLOPT_URL, $url));
+?>
+Done
+--EXPECTF--
+Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4
+bool(false)
+Done

From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 16:57:42 -0700
Subject: [PATCH 4/8] Fix bug #68113 (Heap corruption in exif_thumbnail())

---
 ext/exif/exif.c              |   4 ++--
 ext/exif/tests/bug68113.jpg  | Bin 0 -> 368 bytes
 ext/exif/tests/bug68113.phpt |  17 +++++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100755 ext/exif/tests/bug68113.jpg
 create mode 100644 ext/exif/tests/bug68113.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 38907b4d942..637ebf9289b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
 					data_ptr += 8;
 					break;
 				case TAG_FMT_SINGLE:
-					memmove(data_ptr, &info_data->value.f, byte_count);
+					memmove(data_ptr, &info_value->f, 4);
 					data_ptr += 4;
 					break;
 				case TAG_FMT_DOUBLE:
-					memmove(data_ptr, &info_data->value.d, byte_count);
+					memmove(data_ptr, &info_value->d, 8);
 					data_ptr += 8;
 					break;
 			}
diff --git a/ext/exif/tests/bug68113.jpg b/ext/exif/tests/bug68113.jpg
new file mode 100755
index 0000000000000000000000000000000000000000..3ce7a620fb108a47d08d669552b995abbacea06a
GIT binary patch
literal 368
zcmex=<Nrg30N0AlGzJDwPb~&f1_p-z3=9e&3Iqfh7-WHL1_ovZDMlU!6(CC-h#8q!
U7#M-H1BlNEVT1UifItWU0A}kAcmMzZ

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug68113.phpt b/ext/exif/tests/bug68113.phpt
new file mode 100644
index 00000000000..0fa4c4aca86
--- /dev/null
+++ b/ext/exif/tests/bug68113.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #68113 (Heap corruption in exif_thumbnail())
+--SKIPIF--
+<?php
+extension_loaded("exif") or die("skip need exif");
+?>
+--FILE--
+<?php
+var_dump(exif_thumbnail(__DIR__."/bug68113.jpg"));
+?>
+Done
+--EXPECTF--
+Warning: exif_thumbnail(bug68113.jpg): File structure corrupted in %s/bug68113.php on line 2
+
+Warning: exif_thumbnail(bug68113.jpg): Invalid JPEG file in %s/bug68113.php on line 2
+bool(false)
+Done
\ No newline at end of file

From 2142d78281fe093043b50897d8a22f00910dfd0c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 17:33:44 -0700
Subject: [PATCH 5/8] Fix bug #68027 - fix date parsing in XMLRPC lib

---
 ext/xmlrpc/libxmlrpc/xmlrpc.c  | 13 ++++++----
 ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug68027.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index ce70c2afd90..b766a5495a4 100644
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
    tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+       return -1;
+   }
 
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }
diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
new file mode 100644
index 00000000000..a5c96f1cf29
--- /dev/null
+++ b/ext/xmlrpc/tests/bug68027.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #68027 (buffer overflow in mkgmtime() function)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+
+$d = '6-01-01 20:00:00';
+xmlrpc_set_type($d, 'datetime');
+var_dump($d);
+$datetime = "2001-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+$datetime = "34770-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(stdClass)#1 (3) {
+  ["scalar"]=>
+  string(16) "6-01-01 20:00:00"
+  ["xmlrpc_type"]=>
+  string(8) "datetime"
+  ["timestamp"]=>
+  int(%d)
+}
+stdClass Object
+(
+    [scalar] => 2001-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %s
+)
+stdClass Object
+(
+    [scalar] => 34770-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %d
+)
+Done

From 88eb7ea47dd6d23378b116aa76428ef4907c5373 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 14:19:31 -0700
Subject: [PATCH 6/8] Fixed bug #68044: Integer overflow in unserialize()
 (32-bits only)

---
 ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
 ext/standard/var_unserializer.c            |  4 ++--
 ext/standard/var_unserializer.re           |  2 +-
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/serialize/bug68044.phpt

diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
new file mode 100644
index 00000000000..031e44e1498
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68044.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68044 Integer overflow in unserialize() (32-bits only)
+--FILE--
+<?php
+	echo unserialize('C:3:"XYZ":18446744075857035259:{}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
+
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 8b5392a9d7a..8b51a20aced 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Fri Apr 18 15:07:27 2014 */
+/* Generated by re2c 0.13.5 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -371,7 +371,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 3a1b9109538..ef553ffb538 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -375,7 +375,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}

From 71b63fc701b16e326b6ee01369d746aed2c7643c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 17:53:49 -0700
Subject: [PATCH 7/8] Fix bug #68089 - do not accept options with embedded \0

Conflicts:
	ext/curl/interface.c
---
 ext/curl/interface.c         |  5 +++++
 ext/curl/tests/bug68089.phpt | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 ext/curl/tests/bug68089.phpt

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index f8b04295d79..e3e089175f5 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -169,6 +169,11 @@ static int php_curl_option_str(php_curl *ch, long option, const char *str, const
 {
 	CURLcode error = CURLE_OK;
 
+	if (strlen(str) != len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)");
+		return 0;
+	}
+
 #if LIBCURL_VERSION_NUM >= 0x071100
 	if (make_copy) {
 #endif
diff --git a/ext/curl/tests/bug68089.phpt b/ext/curl/tests/bug68089.phpt
new file mode 100644
index 00000000000..3bd5889709b
--- /dev/null
+++ b/ext/curl/tests/bug68089.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #68089 (NULL byte injection - cURL lib)
+--SKIPIF--
+<?php 
+include 'skipif.inc';
+
+?>
+--FILE--
+<?php
+$url = "file:///etc/passwd\0http://google.com";
+$ch = curl_init();
+var_dump(curl_setopt($ch, CURLOPT_URL, $url));
+?>
+Done
+--EXPECTF--
+Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4
+bool(false)
+Done

From f9ba0a157f2d7e6d027285cb2ef964a919e67b8e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 16:57:42 -0700
Subject: [PATCH 8/8] Fix bug #68113 (Heap corruption in exif_thumbnail())

---
 ext/exif/exif.c              |   4 ++--
 ext/exif/tests/bug68113.jpg  | Bin 0 -> 368 bytes
 ext/exif/tests/bug68113.phpt |  17 +++++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100755 ext/exif/tests/bug68113.jpg
 create mode 100644 ext/exif/tests/bug68113.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 0b28f1c2604..ab2a5043513 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2416,11 +2416,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
 					data_ptr += 8;
 					break;
 				case TAG_FMT_SINGLE:
-					memmove(data_ptr, &info_data->value.f, byte_count);
+					memmove(data_ptr, &info_value->f, 4);
 					data_ptr += 4;
 					break;
 				case TAG_FMT_DOUBLE:
-					memmove(data_ptr, &info_data->value.d, byte_count);
+					memmove(data_ptr, &info_value->d, 8);
 					data_ptr += 8;
 					break;
 			}
diff --git a/ext/exif/tests/bug68113.jpg b/ext/exif/tests/bug68113.jpg
new file mode 100755
index 0000000000000000000000000000000000000000..3ce7a620fb108a47d08d669552b995abbacea06a
GIT binary patch
literal 368
zcmex=<Nrg30N0AlGzJDwPb~&f1_p-z3=9e&3Iqfh7-WHL1_ovZDMlU!6(CC-h#8q!
U7#M-H1BlNEVT1UifItWU0A}kAcmMzZ

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug68113.phpt b/ext/exif/tests/bug68113.phpt
new file mode 100644
index 00000000000..0fa4c4aca86
--- /dev/null
+++ b/ext/exif/tests/bug68113.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #68113 (Heap corruption in exif_thumbnail())
+--SKIPIF--
+<?php
+extension_loaded("exif") or die("skip need exif");
+?>
+--FILE--
+<?php
+var_dump(exif_thumbnail(__DIR__."/bug68113.jpg"));
+?>
+Done
+--EXPECTF--
+Warning: exif_thumbnail(bug68113.jpg): File structure corrupted in %s/bug68113.php on line 2
+
+Warning: exif_thumbnail(bug68113.jpg): Invalid JPEG file in %s/bug68113.php on line 2
+bool(false)
+Done
\ No newline at end of file