exif/heic: Prevent overflow when computing meta bounds

Author: ndossche

ext/exif/exif.c

@@ -4408,7 +4408,8 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 				exif_isobmff_parse_meta(data, data + limit, &pos);
 			}
 			if ((pos.size) &&
-				(ImageInfo->FileSize >= pos.offset + pos.size) &&
+				(pos.size > ImageInfo->FileSize) &&
+				(ImageInfo->FileSize - pos.size >= pos.offset) &&
 				(php_stream_seek(ImageInfo->infile, pos.offset + 2, SEEK_SET) >= 0)) {
 				if (limit >= pos.size - 2) {
 					limit = pos.size - 2;