Commit ebdb558

committed

Fix OSS-Fuzz #442954659: zero-size box in HEIF file causes infinite loop

If the box size is 0, the loop can't progress.

1 parent 4b99519 commit ebdb558Copy full SHA for ebdb558

File tree

+12

-0

lines changed

ext/exif
- exif.c
- tests/oss_fuzz_442954659
  - input
  - oss_fuzz_442954659.phpt

+12

-0

lines changed

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4426,6 +4426,8 @@ static bool exif_scan_HEIF_header(image_info_type ImageInfo, unsigned char buf`
`4426`	`4426`	`}`
`4427`	`4427`	`efree(data);`
`4428`	`4428`	`break;`
	`4429`	`+ } else if (box.size == 0) {`
	`4430`	`+ break;`
`4429`	`4431`	`}`
`4430`	`4432`	`}`
`4431`	`4433`

144 Bytes

Binary file not shown.

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,10 @@`
	`1`	`+--TEST--`
	`2`	`+OSS-Fuzz #442954659 (zero-size box in HEIF file causes infinite loop)`
	`3`	`+--EXTENSIONS--`
	`4`	`+exif`
	`5`	`+--FILE--`
	`6`	`+<?php`
	`7`	`+exif_read_data(__DIR__."/input");`
	`8`	`+?>`
	`9`	`+--EXPECTF--`
	`10`	`+Warning: exif_read_data(%s): Invalid HEIF file in %s on line %d`

Comments

(0)