Integer underflow in exif HEIF parsing when pos.size < 2

### Description

When parsing HEIF/HEIC files, if the iloc box contains an extent_length value less than 2, the subtraction `pos.size - 2` causes an unsigned integer underflow.

### Location

`ext/exif/exif.c` line 4424 in `exif_scan_HEIF_header()`
 
### Reproducer

```bash
# patch a valid HEIC file to set extent_length = 1
php -d memory_limit=128M -r "exif_read_data('malicious.heic');"
 ```
 
Result:
```
Fatal error: Allowed memory size exhausted (tried to allocate 4294967295 bytes)
 ```

### Fix

PR #20630 - change `if ((pos.size) &&` to `if ((pos.size >= 2) &&`



### PHP Version

```plain
PHP 8.6.0-dev (cli) (built: Dec 2 2025 10:49:47) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
```

### Operating System

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Integer underflow in exif HEIF parsing when pos.size < 2 #20631

Description

Location

Reproducer

Fix

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Integer underflow in exif HEIF parsing when pos.size < 2 #20631

Description

Description

Location

Reproducer

Fix

PHP Version

Operating System

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions