|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-03-30 13:26 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: kalle
[2018-03-30 13:26 UTC] cmb@php.net
[2018-04-12 21:09 UTC] cmb@php.net
[2018-04-12 21:09 UTC] cmb@php.net
-Status: Verified
+Status: Closed
[2018-04-12 21:10 UTC] cmb@php.net
-PHP Version: 7.2.4
+PHP Version: 7.2+
-Assigned To: kalle
+Assigned To: cmb
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ Crash happens, I was unable to figure it out why, seems like something on exif_read_data creates a memory corruption. Test script: --------------- <?php $var1='nonexistentfile'; $var2=2200000000; exif_read_data($var1, $var2); $var1=new Exception();$var2=1; bcdiv($var1, $var2); echo $var1; Expected result: ---------------- no crash Actual result: -------------- C:\tools\php724\php.exe -n -dmax_execution_time=10 -dextension=ext\php_sockets.dll -dextension=ext\php_sysvshm.dll -dextension=ext\php_tidy.dll -dextension=ext\php_xmlrpc.dll -dextension=ext\php_sqlite3.dll -dextension=ext\php_bz2.dll -dextension=ext\php_com_dotnet.dll -dextension=ext\php_curl.dll -dextension=ext\php_enchant.dll -dextension=ext\php_exif.dll -dextension=ext\php_fileinfo.dll -dextension=ext\php_ftp.dll -dextension=ext\php_gd2.dll -dextension=ext\php_gettext.dll -dextension=ext\php_gmp.dll -dextension=ext\php_imap.dll -dextension=ext\php_ldap.dll -dextension=ext\php_mbstring.dll -dextension=ext\php_mysqli.dll -dextension=ext\php_odbc.dll -dextension=ext\php_openssl.dll -dextension=ext\php_pdo_mysql.dll -dextension=ext\php_pdo_odbc.dll -dextension=ext\php_pdo_pgsql.dll -dextension=ext\php_pdo_sqlite.dll -dextension=ext\php_pgsql.dll -dextension=ext\php_phpdbg_webhelper.dll -dextension=ext\php_shmop.dll -dextension=ext\php_soap.dll 267353.php ... (23f0.570): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. php7!smart_str_erealloc+0x99: 6cc94249 8b07 mov eax,dword ptr [edi] ds:002b:c7d20000=???????? Processing initial command 'r;!exploitable -v' 0:000:x86> r;!exploitable -v eax=00064728 ebx=000000ef ecx=0005c488 edx=0000000f esi=00000000 edi=c7d20000 eip=6cc94249 esp=06c5c0a4 ebp=1bc00040 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 php7!smart_str_erealloc+0x99: 6cc94249 8b07 mov eax,dword ptr [edi] ds:002b:c7d20000=???????? !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xc7d20000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:6cc94249 mov eax,dword ptr [edi] Basic Block: 6cc94249 mov eax,dword ptr [edi] Tainted Input operands: 'edi' 6cc9424b mov dword ptr [ebp+edx*4+10h],eax Tainted Input operands: 'eax' 6cc9424f mov eax,dword ptr [esp+10h] 6cc94253 and dword ptr [edi+8],0 Tainted Input operands: 'edi' 6cc94257 mov dword ptr [edi+0ch],ebx Tainted Input operands: 'edi' 6cc9425a mov dword ptr [edi],1 Tainted Input operands: 'edi' 6cc94260 mov dword ptr [edi+4],6 Tainted Input operands: 'edi' 6cc94267 pop ebp 6cc94268 mov dword ptr [eax],edi Tainted Input operands: 'edi' 6cc9426a and dword ptr [edi+0ch],0 Tainted Input operands: 'edi' 6cc9426e pop ebx 6cc9426f mov ecx,dword ptr [esp+0ch] 6cc94273 pop edi 6cc94274 pop esi 6cc94275 xor ecx,esp 6cc94277 call php7!__security_check_cookie (6cfe0d20) Exception Hash (Major/Minor): 0x16bd16b7.0x1313ba8b Hash Usage : Stack Trace: Major+Minor : php7!smart_str_erealloc+0x99 Major+Minor : php7!xbuf_format_converter+0x5bc Major+Minor : php7!php_printf_to_smart_str+0x13 Major+Minor : php7!zend_strpprintf+0x34 Major+Minor : php7!zim_exception___toString+0x620 Minor : php_exif!exif_error_docref+0x2c Minor : php7!zend_call_function+0x34d Minor : ntdll_76f20000!RtlSetLastWin32Error+0x39 Minor : php7!zval_get_string_func+0x33a42a Minor : php7!ZEND_ECHO_SPEC_CV_HANDLER+0x36ac7b Minor : php7!execute_ex+0x57 Minor : php7!zend_execute+0xf9 Minor : php7!zend_execute_scripts+0x94 Minor : php7!php_execute_script+0x283 Minor : php!do_cli+0x8f4 Minor : php!main+0x502 Minor : php!__scrt_common_main_seh+0xf9 Minor : KERNEL32!BaseThreadInitThunk+0x24 Minor : ntdll_76f20000!__RtlUserThreadStart+0x2f Minor : ntdll_76f20000!_RtlUserThreadStart+0x1b Instruction Address: 0x000000006cc94249 Source File: c:\php-snap-build\php72\vc15\x86\php-7.2.4\zend\zend_smart_str.c Source Line: 41 Description: Data from Faulting Address controls subsequent Write Address Short Description: TaintedDataControlsWriteAddress Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at php7!smart_str_erealloc+0x0000000000000099 (Hash=0x16bd16b7.0x1313ba8b) The data from the faulting address is later used as the target for a later write.