Fixed bug #77564: Memory leak in exif_process_IFD_TAG

The memory leak occurs when more than one UserComment tag is present in
the EXIF data. It's still considered corrupt EXIF data, but this ensures
the memory is freed before trying to set to already allocated memory.

Author: ramsey

NEWS

@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #77589 (Core dump using parse_ini_string with numeric sections).
     (Laruence)
 
+- Exif:
+  . Fixed bug #77564 (Memory leak in exif_process_IFD_TAG). (Ben Ramsey)
+
 - PDO_OCI:
   . Support Oracle Database tracing attributes ACTION, MODULE,
     CLIENT_INFO, and CLIENT_IDENTIFIER. (Cameron Porter)

ext/exif/exif.c

@@ -3405,6 +3405,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_USERCOMMENT:
+				EFREE_IF(ImageInfo->UserComment);
+				ImageInfo->UserComment = NULL;
+				EFREE_IF(ImageInfo->UserCommentEncoding);
+				ImageInfo->UserCommentEncoding = NULL;
 				ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count);
 				break;
 

ext/exif/tests/bug77564/bug77564.jpg

@@ -0,0 +1,18 @@
+--TEST--
+Bug 77564 (Memory leak in exif_process_IFD_TAG)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(exif_read_data(dirname(__FILE__) . '/bug77564.jpg'));
+?>
+DONE
+--EXPECTF--
+
+Warning: exif_read_data(bug77564.jpg): Illegal IFD offset in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): File structure corrupted in %sbug77564.php on line %d
+
+Warning: exif_read_data(bug77564.jpg): Invalid JPEG file in %sbug77564.php on line %d
+bool(false)
+DONE