An insufficient input validation flaws was discovered in the PHP's Exif extension that allows extracting Exif data from image files:
http://thread.gmane.org/gmane.comp.security.oss.general/4198
An integer overflow causes PHP to not validate offsets read from the file properly, causing it to read behind the end of the buffer. This leads to PHP interpreter crash when reading specially crafted Exif data.
Before the code over-reading the buffer is reached, PHP needs to allocate a large amount of memory (based on the components / length value read from the file). This attempt triggers the integer overflow check in safe_emalloc on 32bit platforms and requires the memory_limit for the script to be set to -1 (i.e. no limit is enforced by PHP) on 64bit platforms.
Upstream commits, which include reproducers:
http://svn.php.net/viewvc?view=revision&revision=308316http://svn.php.net/viewvc?view=revision&revision=308317
The follow-up commit replaces the use of hard-coded numeric constant with INT32_MAX:
http://svn.php.net/viewvc?view=revision&revision=308362
This fix should first appear in upstream version 5.3.6.