Fix #76164: exif_read_data zend_mm_heap corrupted

We must not release parsed parameters ourselves, since this is already done by the engine.
php · Apr 12, 2018 · 281a175 · 281a175
1 parent 9f4905f
commit 281a175
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 7.2.6
 
+- EXIF:
+  . Fixed bug #76164 (exif_read_data zend_mm_heap corrupted). (cmb)
+
 - Session:
   . Fixed bug #74892 (Url Rewriting (trans_sid) not working on urls that start
     with "#"). (Andrew Nester)

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -4457,13 +4457,11 @@ PHP_FUNCTION(exif_read_data)
 #ifdef EXIF_DEBUG
 		sections_str = exif_get_sectionlist(sections_needed);
 		if (!sections_str) {
-			zend_string_release(z_sections_needed);
 			RETURN_FALSE;
 		}
 		exif_error_docref(NULL EXIFERR_CC, &ImageInfo, E_NOTICE, "Sections needed: %s", sections_str[0] ? sections_str : "None");
 		EFREE_IF(sections_str);
 #endif
-		zend_string_release(z_sections_needed);
 	}
 
 	if (Z_TYPE_P(stream) == IS_RESOURCE) {

diff --git a/ext/exif/tests/bug76164.phpt b/ext/exif/tests/bug76164.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #76164 (exif_read_data zend_mm_heap corrupted)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+$var1 = 'nonexistentfile';
+$var2 = 2200000000;
+@exif_read_data($var1, $var2); // we're not interested in the warning, here
+$var2 = 1;
+?>
+===DONE===
+--EXPECT--
+===DONE===