-
-
Save smalyshev/bdc81a4e0768eb705744 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
index 637ebf9..7f95ff4 100644 | |
--- a/ext/exif/exif.c | |
+++ b/ext/exif/exif.c | |
@@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP | |
static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) | |
{ | |
xp_field->tag = tag; | |
- | |
+ xp_field->value = NULL; | |
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ | |
if (zend_multibyte_encoding_converter( | |
(unsigned char**)&xp_field->value, | |
diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg | |
new file mode 100644 | |
index 0000000..acc326d | |
Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ | |
diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt | |
new file mode 100644 | |
index 0000000..b09f21c | |
--- /dev/null | |
+++ b/ext/exif/tests/bug68799.phpt | |
@@ -0,0 +1,63 @@ | |
+--TEST-- | |
+Bug #68799 (Free called on unitialized pointer) | |
+--SKIPIF-- | |
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> | |
+--FILE-- | |
+<?php | |
+/* | |
+* Pollute the heap. Helps trigger bug. Sometimes not needed. | |
+*/ | |
+class A { | |
+ function __construct() { | |
+ $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa'; | |
+ $this->a = $a . $a . $a . $a . $a . $a; | |
+ } | |
+}; | |
+ | |
+function doStuff ($limit) { | |
+ | |
+ $a = new A; | |
+ | |
+ $b = array(); | |
+ for ($i = 0; $i < $limit; $i++) { | |
+ $b[$i] = clone $a; | |
+ } | |
+ | |
+ unset($a); | |
+ | |
+ gc_collect_cycles(); | |
+} | |
+ | |
+$iterations = 3; | |
+ | |
+doStuff($iterations); | |
+doStuff($iterations); | |
+ | |
+gc_collect_cycles(); | |
+ | |
+print_r(exif_read_data(__DIR__.'/bug68799.jpg')); | |
+ | |
+?> | |
+--EXPECTF-- | |
+Array | |
+( | |
+ [FileName] => bug68799.jpg | |
+ [FileDateTime] => %d | |
+ [FileSize] => 735 | |
+ [FileType] => 2 | |
+ [MimeType] => image/jpeg | |
+ [SectionsFound] => ANY_TAG, IFD0, WINXP | |
+ [COMPUTED] => Array | |
+ ( | |
+ [html] => width="1" height="1" | |
+ [Height] => 1 | |
+ [Width] => 1 | |
+ [IsColor] => 1 | |
+ [ByteOrderMotorola] => 1 | |
+ ) | |
+ | |
+ [XResolution] => 96/1 | |
+ [YResolution] => 96/1 | |
+ [ResolutionUnit] => 2 | |
+ [Author] => | |
+) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment