exif/heic: Avoid overflow when adding box size and checking against file size

We change the order of operations such that the file size check cannot
overflow in the for loop. This prevents infinite loops.
We also add an overflow check at the end of the loop body to prevent the
addition of offset and box.size from overflowing.

Author: ndossche

ext/exif/exif.c

@@ -4388,7 +4388,7 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 	bool ret = false;
 
 	pos.size = 0;
-	for (offset = php_ifd_get32u(buf, 1); ImageInfo->FileSize > offset + 16; offset += box.size) {
+	for (offset = php_ifd_get32u(buf, 1); ImageInfo->FileSize - 16 > offset; offset += box.size) {
 		if ((php_stream_seek(ImageInfo->infile, offset, SEEK_SET) < 0) ||
 			(exif_read_from_stream_file_looped(ImageInfo->infile, (char*)buf, 16) != 16)) {
 			break;
@@ -4425,6 +4425,9 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 			efree(data);
 			break;
 		}
+		if (offset + box.size < offset) {
+			break;
+		}
 	}
 
 	return ret;

ext/exif/tests/heic_box_overflow.phpt

@@ -0,0 +1,25 @@
+--TEST--
+HEIC box overflow
+--EXTENSIONS--
+exif
+--FILE--
+<?php
+$bytearray = [
+    0, 0, 0, 12, 'f', 't', 'y', 'p', 'h', 'e', 'i', 'c',
+    0, 0, 0, 1, 'x', 'y', 'z', 'w', 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff-11, 0, 0, 0, 0, 0, 0, 0
+];
+
+function convert($x) {
+    if (is_string($x)) return $x;
+    return chr($x);
+}
+
+file_put_contents(__DIR__."/heic_box_overflow", implode('', array_map(convert(...), $bytearray)));
+
+var_dump(exif_read_data(__DIR__."/heic_box_overflow"));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__."/heic_box_overflow");
+?>
+--EXPECT--