Fixed bug #79046

Author: nikic

NEWS

@@ -20,6 +20,9 @@ PHP                                                                        NEWS
 - CURL:
   . Fixed bug #79033 (Curl timeout error with specific url and post). (cmb)
 
+- Exif:
+  . Fixed bug #79046 (NaN to int cast undefined behavior in exif). (Nikita)
+
 - Fileinfo:
   . Fixed bug #74170 (locale information change after mime_content_type).
     (Sergei Turchanov)

ext/exif/exif.c

@@ -1699,7 +1699,7 @@ static int exif_rewrite_tag_format_to_unsigned(int format)
 
 /* Use saturation for out of bounds values to avoid UB */
 static size_t float_to_size_t(float x) {
-	if (x < 0.0f) {
+	if (x < 0.0f || zend_isnan(x)) {
 		return 0;
 	} else if (x > (float) SIZE_MAX) {
 		return SIZE_MAX;
@@ -1709,7 +1709,7 @@ static size_t float_to_size_t(float x) {
 }
 
 static size_t double_to_size_t(double x) {
-	if (x < 0.0) {
+	if (x < 0.0 || zend_isnan(x)) {
 		return 0;
 	} else if (x > (double) SIZE_MAX) {
 		return SIZE_MAX;

ext/exif/tests/bug79046.phpt

@@ -0,0 +1,33 @@
+--TEST--
+Bug #79046: NaN to int cast undefined behavior in exif
+--FILE--
+<?php
+var_dump(exif_read_data('data://image/tiff;base64,TU0AKgAAAA7//wAAANUAAQERAAsAAAABAAD4fwAAAA4A'));
+?>
+--EXPECT--
+array(8) {
+  ["FileDateTime"]=>
+  int(0)
+  ["FileSize"]=>
+  int(33)
+  ["FileType"]=>
+  int(8)
+  ["MimeType"]=>
+  string(10) "image/tiff"
+  ["SectionsFound"]=>
+  string(24) "ANY_TAG, IFD0, THUMBNAIL"
+  ["COMPUTED"]=>
+  array(2) {
+    ["IsColor"]=>
+    int(0)
+    ["ByteOrderMotorola"]=>
+    int(1)
+  }
+  ["StripOffsets"]=>
+  float(NAN)
+  ["THUMBNAIL"]=>
+  array(1) {
+    ["StripOffsets"]=>
+    float(NAN)
+  }
+}