Fix GH-20631: Integer underflow in exif HEIF parsing

When pos.size is less than 2, the subtraction pos.size - 2 causes
an unsigned integer underflow, resulting in a ~4GB allocation attempt.

Add minimum size check (pos.size >= 2) to prevent the underflow.

Closes GH-20630.

Author: Oblivionsage

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.2
 
+- EXIF:
+  . Fixed bug GH-20631 (Integer underflow in exif HEIF parsing
+    when pos.size < 2). (Oblivionsage)
 
 18 Dec 2025, PHP 8.5.1
 

ext/exif/exif.c

@@ -4421,7 +4421,7 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 			if (exif_read_from_stream_file_looped(ImageInfo->infile, (char*)(data + remain), limit - remain) == limit - remain) {
 				exif_isobmff_parse_meta(data, data + limit, &pos);
 			}
-			if ((pos.size) &&
+			if ((pos.size >= 2) &&
 				(pos.size < ImageInfo->FileSize) &&
 				(ImageInfo->FileSize - pos.size >= pos.offset) &&
 				(php_stream_seek(ImageInfo->infile, pos.offset + 2, SEEK_SET) >= 0)) {

ext/exif/tests/heic_iloc_underflow.phpt

@@ -0,0 +1,19 @@
+--TEST--
+HEIC iloc extent_length underflow
+--EXTENSIONS--
+exif
+--FILE--
+<?php
+// Read valid HEIC file and patch iloc extent_length to 1
+$data = file_get_contents(__DIR__."/image029.heic");
+$data = substr_replace($data, "\x00\x00\x00\x01", 0x4f8, 4);
+file_put_contents(__DIR__."/heic_iloc_underflow.heic", $data);
+var_dump(exif_read_data(__DIR__."/heic_iloc_underflow.heic"));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__."/heic_iloc_underflow.heic");
+?>
+--EXPECTF--
+Warning: exif_read_data(heic_iloc_underflow.heic): Invalid HEIF file in %s on line %d
+bool(false)