Fix #76409: heap use after free in _php_stream_free

We must not close the stream in exif_read_from_impl(), since it is the
responsibility of the (caller's) caller to do so, if it actually opened
the stream.

We simplify the reproduce script, which is actually about supplying a
path to a directory (opposed to a regular file), and use `.` instead of
`/` to also make it work on Windows.

Author: cmb69

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.2.8
 
+- EXIF:
+  . Fixed bug #76409 (heap use after free in _php_stream_free). (cmb)
+
 07 Jun 2018, PHP 7.2.7
 
 - Core:

ext/exif/exif.c

@@ -4324,7 +4324,7 @@ static int exif_read_from_impl(image_info_type *ImageInfo, php_stream *stream, i
 			zend_string *base;
 			if ((st.st_mode & S_IFMT) != S_IFREG) {
 				exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Not a file");
-				php_stream_close(ImageInfo->infile);
+				ImageInfo->infile = NULL;
 				return FALSE;
 			}
 

ext/exif/tests/bug76409.phpt

@@ -0,0 +1,14 @@
+--TEST--
+Bug #76409 (heap use after free in _php_stream_free)
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data('.');
+?>
+===DONE===
+--EXPECTF--
+Warning: exif_read_data(): Not a file in %s on line %d
+===DONE===