From 7168d3dc576344f7e55fac81d86304d2421ffe93 Mon Sep 17 00:00:00 2001
From: gwx620998 <gulining1@huawei.com>
Date: Sat, 23 Mar 2019 07:42:34 -0400
Subject: [PATCH] CVE-2019-9638

Signed-off-by: gwx620998 <gulining1@huawei.com>
---
 ext/exif/exif.c              |  5 +++--
 ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 ext/exif/tests/bug77563.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 3a76d8f..d82b5ae 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3151,8 +3151,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 			continue;
 		break;
 	}
-	
-	if (maker_note->offset >= value_len) {
+
+	if (value_len < 2 || maker_note->offset >= value_len - 1) {	
 		/* Do not go past the value end */
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
 		return FALSE;
@@ -3207,6 +3207,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 #endif
 		default:
 		case MN_OFFSET_NORMAL:
+			data_len = value_len;
 			break;
 	}
 
diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt
new file mode 100644
index 0000000..d1c5b9f
--- /dev/null
+++ b/ext/exif/tests/bug77563.phpt
@@ -0,0 +1,16 @@
++--TEST--
++Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++$s = exif_thumbnail(__DIR__."/bug77563.jpg");
++?>
++DONE
++--EXPECTF--
++Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d
++
++Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d
++
++Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d
++DONE
-- 
1.8.3.1