smalyshev/gist:bdc81a4e0768eb705744 Secret

## gistfile1.diff
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 637ebf9..7f95ff4 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;
-
+	xp_field->value = NULL;
 	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value,
diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg
new file mode 100644
index 0000000..acc326d
Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ
diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
new file mode 100644
index 0000000..b09f21c
--- /dev/null
+++ b/ext/exif/tests/bug68799.phpt
@@ -0,0 +1,63 @@
+--TEST--
+Bug #68799 (Free called on unitialized pointer)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+/*
+* Pollute the heap. Helps trigger bug. Sometimes not needed.
+*/
+class A {
+    function __construct() {
+        $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
+        $this->a = $a . $a . $a . $a . $a . $a;
+    }
+};
+
+function doStuff ($limit) {
+
+    $a = new A;
+
+    $b = array();
+    for ($i = 0; $i < $limit; $i++) {
+        $b[$i] = clone $a;
+    }
+
+    unset($a);
+
+    gc_collect_cycles();
+}
+
+$iterations = 3;
+
+doStuff($iterations);
+doStuff($iterations);
+
+gc_collect_cycles();
+
+print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
+
+?>
+--EXPECTF--
+Array
+(
+    [FileName] => bug68799.jpg
+    [FileDateTime] => %d
+    [FileSize] => 735
+    [FileType] => 2
+    [MimeType] => image/jpeg
+    [SectionsFound] => ANY_TAG, IFD0, WINXP
+    [COMPUTED] => Array
+        (
+            [html] => width="1" height="1"
+            [Height] => 1
+            [Width] => 1
+            [IsColor] => 1
+            [ByteOrderMotorola] => 1
+        )
+
+    [XResolution] => 96/1
+    [YResolution] => 96/1
+    [ResolutionUnit] => 2
+    [Author] =>
+)
	diff --git a/ext/exif/exif.c b/ext/exif/exif.c
	index 637ebf9..7f95ff4 100644
	--- a/ext/exif/exif.c
	+++ b/ext/exif/exif.c
	@@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type ImageInfo, char *pszInfoP
	static int exif_process_unicode(image_info_type ImageInfo, xp_field_type xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
	{
	xp_field->tag = tag;
	-
	+ xp_field->value = NULL;
	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
	if (zend_multibyte_encoding_converter(
	(unsigned char**)&xp_field->value,
	diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg
	new file mode 100644
	index 0000000..acc326d
	Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ
	diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
	new file mode 100644
	index 0000000..b09f21c
	--- /dev/null
	+++ b/ext/exif/tests/bug68799.phpt
	@@ -0,0 +1,63 @@
	+--TEST--
	+Bug #68799 (Free called on unitialized pointer)
	+--SKIPIF--
	+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
	+--FILE--
	+<?php
	+/*
	+* Pollute the heap. Helps trigger bug. Sometimes not needed.
	+*/
	+class A {
	+ function __construct() {
	+ $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
	+ $this->a = $a . $a . $a . $a . $a . $a;
	+ }
	+};
	+
	+function doStuff ($limit) {
	+
	+ $a = new A;
	+
	+ $b = array();
	+ for ($i = 0; $i < $limit; $i++) {
	+ $b[$i] = clone $a;
	+ }
	+
	+ unset($a);
	+
	+ gc_collect_cycles();
	+}
	+
	+$iterations = 3;
	+
	+doStuff($iterations);
	+doStuff($iterations);
	+
	+gc_collect_cycles();
	+
	+print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
	+
	+?>
	+--EXPECTF--
	+Array
	+(
	+ [FileName] => bug68799.jpg
	+ [FileDateTime] => %d
	+ [FileSize] => 735
	+ [FileType] => 2
	+ [MimeType] => image/jpeg
	+ [SectionsFound] => ANY_TAG, IFD0, WINXP
	+ [COMPUTED] => Array
	+ (
	+ [html] => width="1" height="1"
	+ [Height] => 1
	+ [Width] => 1
	+ [IsColor] => 1
	+ [ByteOrderMotorola] => 1
	+ )
	+
	+ [XResolution] => 96/1
	+ [YResolution] => 96/1
	+ [ResolutionUnit] => 2
	+ [Author] =>
	+)