exif: Fix possible memory leak when tag is empty

ndossche · ndossche · commit 56af25cc1c7c · 2025-10-15T20:23:59.000+02:00
When `!value_ptr` is handled, memory is allocated at line 3314. At later exit paths, `outside` (pointing to `value_ptr`) is freed, but not when exiting via the `REQUIRE_NON_EMPTY` macro. Closes phpGH-20169.
diff --git a/NEWS b/NEWS
@@ -12,6 +12,9 @@ PHP                                                                        NEWS
   . Partially fixed bug GH-16317 (DOM classes do not allow
     __debugInfo() overrides to work). (nielsdos)
 
+- Exif:
+  . Fix possible memory leak when tag is empty. (nielsdos)
+
 - FPM:
   . Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel
     execution). (Jakub Zelenka, txuna)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -3253,6 +3253,7 @@ static bool exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * val
 
 #define REQUIRE_NON_EMPTY() do { \
 	if (byte_count == 0) { \
+		EFREE_IF(outside); \
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Cannot be empty", tag, exif_get_tagname_debug(tag, tag_table)); \
 		return false; \
 	} \
