Fix OSS-Fuzz #442954659: Crash in exif_scan_HEIF_header

nielsdos · nielsdos · commit 7a6a763f5798 · 2025-09-14T17:29:57.000+02:00
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -4308,7 +4308,7 @@ static int exif_isobmff_parse_box(unsigned char *buf, isobmff_box_type *box)
 static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, isobmff_item_pos_type *pos)
 {
 	isobmff_box_type box, item;
-	unsigned char *box_offset, *p;
+	unsigned char *p;
 	int header_size, exif_id = -1, version, item_count, i;
 
 	size_t remain;
@@ -4323,7 +4323,8 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
 	p += (n); \
 } while (0)
 
-	for (box_offset = data + 4; box_offset < end - 16; box_offset += box.size) {
+	unsigned char *box_offset = data + 4;
+	while (box_offset < end - 16) {
 		header_size = exif_isobmff_parse_box(box_offset, &box);
 		if (box.size < header_size) {
 			return;
@@ -4376,6 +4377,11 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
 			}
 			break;
 		}
+
+		if (end - 16 - box_offset <= box.size) {
+			break;
+		}
+		box_offset += box.size;
 	}
 
 #undef ADVANCE
diff --git a/ext/exif/tests/oss_fuzz_444479893/input b/ext/exif/tests/oss_fuzz_444479893/input
diff --git a/ext/exif/tests/oss_fuzz_444479893/oss_fuzz_444479893.phpt b/ext/exif/tests/oss_fuzz_444479893/oss_fuzz_444479893.phpt
@@ -0,0 +1,10 @@
+--TEST--
+OSS-Fuzz #442954659 (Crash in exif_scan_HEIF_header)
+--EXTENSIONS--
+exif
+--FILE--
+<?php
+exif_read_data(__DIR__."/input");
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Invalid HEIF file in %s on line %d
