/gist:bdc81a4e0768eb705744
Secret
Created Jan 12, 2015
| diff --git a/ext/exif/exif.c b/ext/exif/exif.c | |
| index 637ebf9..7f95ff4 100644 | |
| --- a/ext/exif/exif.c | |
| +++ b/ext/exif/exif.c | |
| @@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP | |
| static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) | |
| { | |
| xp_field->tag = tag; | |
| - | |
| + xp_field->value = NULL; | |
| /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ | |
| if (zend_multibyte_encoding_converter( | |
| (unsigned char**)&xp_field->value, | |
| diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg | |
| new file mode 100644 | |
| index 0000000..acc326d | |
| Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ | |
| diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt | |
| new file mode 100644 | |
| index 0000000..b09f21c | |
| --- /dev/null | |
| +++ b/ext/exif/tests/bug68799.phpt | |
| @@ -0,0 +1,63 @@ | |
| +--TEST-- | |
| +Bug #68799 (Free called on unitialized pointer) | |
| +--SKIPIF-- | |
| +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> | |
| +--FILE-- | |
| +<?php | |
| +/* | |
| +* Pollute the heap. Helps trigger bug. Sometimes not needed. | |
| +*/ | |
| +class A { | |
| + function __construct() { | |
| + $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa'; | |
| + $this->a = $a . $a . $a . $a . $a . $a; | |
| + } | |
| +}; | |
| + | |
| +function doStuff ($limit) { | |
| + | |
| + $a = new A; | |
| + | |
| + $b = array(); | |
| + for ($i = 0; $i < $limit; $i++) { | |
| + $b[$i] = clone $a; | |
| + } | |
| + | |
| + unset($a); | |
| + | |
| + gc_collect_cycles(); | |
| +} | |
| + | |
| +$iterations = 3; | |
| + | |
| +doStuff($iterations); | |
| +doStuff($iterations); | |
| + | |
| +gc_collect_cycles(); | |
| + | |
| +print_r(exif_read_data(__DIR__.'/bug68799.jpg')); | |
| + | |
| +?> | |
| +--EXPECTF-- | |
| +Array | |
| +( | |
| + [FileName] => bug68799.jpg | |
| + [FileDateTime] => %d | |
| + [FileSize] => 735 | |
| + [FileType] => 2 | |
| + [MimeType] => image/jpeg | |
| + [SectionsFound] => ANY_TAG, IFD0, WINXP | |
| + [COMPUTED] => Array | |
| + ( | |
| + [html] => width="1" height="1" | |
| + [Height] => 1 | |
| + [Width] => 1 | |
| + [IsColor] => 1 | |
| + [ByteOrderMotorola] => 1 | |
| + ) | |
| + | |
| + [XResolution] => 96/1 | |
| + [YResolution] => 96/1 | |
| + [ResolutionUnit] => 2 | |
| + [Author] => | |
| +) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment