Adjusted for PHP 5.2.17 Author: Elan Ruusamäe From: Stanislav Malyshev Date: Sun, 11 Jan 2015 08:51:05 +0000 (-0800) Subject: Fix bug #68799: Free called on unitialized pointer X-Git-Tag: php-5.4.37~5^2 X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=2fc178cf448d8e1b95d1314e47eeef610729e0df;hp=f9ad3086693fce680fbe246e4a45aa92edd2ac35 Fix bug #68799: Free called on unitialized pointer --- --- php-5.2.17/ext/exif/exif.c~ 2015-02-23 12:38:58.000000000 +0200 +++ php-5.2.17/ext/exif/exif.c 2015-02-23 12:41:41.138901305 +0200 @@ -2721,6 +2721,7 @@ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; + xp_field->value = NULL; /* Copy the comment */ #if EXIF_USE_MBSTRING diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg new file mode 100644 index 0000000..acc326d Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt new file mode 100644 index 0000000..b09f21c --- /dev/null +++ b/ext/exif/tests/bug68799.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #68799 (Free called on unitialized pointer) +--SKIPIF-- + +--FILE-- +a = $a . $a . $a . $a . $a . $a; + } +}; + +function doStuff ($limit) { + + $a = new A; + + $b = array(); + for ($i = 0; $i < $limit; $i++) { + $b[$i] = clone $a; + } + + unset($a); + + //gc_collect_cycles(); +} + +$iterations = 3; + +doStuff($iterations); +doStuff($iterations); + +//gc_collect_cycles(); + +print_r(exif_read_data(__DIR__.'/bug68799.jpg')); + +?> +--EXPECTF-- +Array +( + [FileName] => bug68799.jpg + [FileDateTime] => %d + [FileSize] => 735 + [FileType] => 2 + [MimeType] => image/jpeg + [SectionsFound] => ANY_TAG, IFD0, WINXP + [COMPUTED] => Array + ( + [html] => width="1" height="1" + [Height] => 1 + [Width] => 1 + [IsColor] => 1 + [ByteOrderMotorola] => 1 + ) + + [XResolution] => 96/1 + [YResolution] => 96/1 + [ResolutionUnit] => 2 + [Author] => +)