Fix bug #78793

(cherry picked from commit c14eb8d)
php · Dec 17, 2019 · 1b3b4a0 · 1b3b4a0
1 parent 5732546
commit 1b3b4a0
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	}
 
 	for (de=0;de<NumDirEntries;de++) {
-		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
-								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
+		size_t offset = 2 + 12 * de;
+		if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
+								  offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
 			return FALSE;
 		}
 	}

diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
+--FILE--
+<?php
+$f = "ext/exif/tests/bug77950.tiff";
+for ($i = 0; $i < 10; $i++) {
+    @exif_read_data($f);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===