exif: Fix possible memory leak when tag is empty

When `!value_ptr` is handled, memory is allocated at line 3314. At later exit paths, `outside` (pointing to `value_ptr`) is freed, but not when exiting via the `REQUIRE_NON_EMPTY` macro. Closes GH-20169.
2026-03-24 00:02:20 +01:00 · 2025-10-14 22:23:09 +02:00
parent ff3a12be71
commit 56af25cc1c
2 changed files with 4 additions and 0 deletions
--- a/3
+++ b/3
@@ -12,6 +12,9 @@ PHP                                                                        NEWS
  . Partially fixed bug GH-16317 (DOM classes do not allow
    __debugInfo() overrides to work). (nielsdos)

+- Exif:
+  . Fix possible memory leak when tag is empty. (nielsdos)
+
 - FPM:
  . Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel
    execution). (Jakub Zelenka, txuna)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3253,6 +3253,7 @@ static bool exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * val

 #define REQUIRE_NON_EMPTY() do { \
 	if (byte_count == 0) { \
+		EFREE_IF(outside); \
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Cannot be empty", tag, exif_get_tagname_debug(tag, tag_table)); \
 		return false; \
 	} \