Fixed bug #79282

(cherry picked from commit 25238bd)

Author: smalyshev

NEWS

@@ -26,6 +26,10 @@ PHP                                                                        NEWS
   . Fixed bug #79311 (enchant_dict_suggest() fails on big endian architecture).
     (cmb)
 
+- EXIF:
+  . Fixed bug #79282 (Use-of-uninitialized-value in exif). (CVE-2020-7064)
+    (Nikita)
+
 - MySQLi:
   . Fixed bug #64032 (mysqli reports different client_version). (cmb)
 

ext/exif/exif.c

@@ -3665,6 +3665,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 {
 	unsigned exif_value_2a, offset_of_ifd;
 
+	if (length < 2) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
+		return;
+	}
+
 	/* set the thumbnail stuff to nothing so we can test to see if they get set up */
 	if (memcmp(CharBuf, "II", 2) == 0) {
 		ImageInfo->motorola_intel = 0;
@@ -3817,7 +3822,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo)
 			return FALSE;
 		}
 
-		sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
+		sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
 		Data = ImageInfo->file.list[sn].data;
 
 		/* Store first two pre-read bytes. */

ext/exif/tests/bug79282.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #79282: Use-of-uninitialized-value in exif
+--FILE--
+<?php
+
+var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+?>
+--EXPECTF--
+Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
+
+Warning: exif_read_data(): File structure corrupted in %s on line %d
+
+Warning: exif_read_data(): Invalid JPEG file in %s on line %d
+bool(false)