Fix OSS-Fuzz #442954659: zero-size box in HEIF file causes infinite loop

ndossche · ndossche · commit 2c4ae7b28e81 · 2025-09-12T09:27:53.000+02:00
If the box size is 0, the loop can't progress.
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -4312,6 +4312,9 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
 
 	for (box_offset = data + 4; box_offset + 16 < end; box_offset += box.size) {
 		header_size = exif_isobmff_parse_box(box_offset, &box);
+		if (box.size < header_size) {
+			return;
+		}
 		if (box.type == FOURCC("iinf")) {
 			p = box_offset + header_size;
 			if (p >= end) {
@@ -4334,6 +4337,9 @@ static void exif_isobmff_parse_meta(unsigned char *data, unsigned char *end, iso
 			}
 			for (i = 0; i < item_count && p + 20 < end; i++) {
 				header_size = exif_isobmff_parse_box(p, &item);
+				if (item.size < header_size) {
+					return;
+				}
 				if (p + header_size + 12 >= end) {
 					return;
 				}
@@ -4396,6 +4402,9 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 			break;
 		}
 		box_header_size = exif_isobmff_parse_box(buf, &box);
+		if (box.size < box_header_size) {
+			break;
+		}
 		if (box.type == FOURCC("meta")) {
 			limit = box.size - box_header_size;
 			if (limit < 36) {
diff --git a/ext/exif/tests/oss_fuzz_442954659/input b/ext/exif/tests/oss_fuzz_442954659/input
diff --git a/ext/exif/tests/oss_fuzz_442954659/oss_fuzz_442954659.phpt b/ext/exif/tests/oss_fuzz_442954659/oss_fuzz_442954659.phpt
@@ -0,0 +1,10 @@
+--TEST--
+OSS-Fuzz #442954659 (zero-size box in HEIF file causes infinite loop)
+--EXTENSIONS--
+exif
+--FILE--
+<?php
+exif_read_data(__DIR__."/input");
+?>
+--EXPECTF--
+Warning: exif_read_data(%s): Invalid HEIF file in %s on line %d
