|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-02-12 01:10 UTC] chamal dot desilva at gmail dot com
[2019-03-02 23:13 UTC] stas@php.net
-Status: Open
+Status: Assigned
-PHP Version: 7.3.1
+PHP Version: 7.1.26
-Assigned To:
+Assigned To: stas
-CVE-ID:
+CVE-ID: needed
[2019-03-02 23:13 UTC] stas@php.net
[2019-03-04 07:35 UTC] stas@php.net
[2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2019-03-04 07:35 UTC] stas@php.net
[2019-03-08 23:58 UTC] stas@php.net
-CVE-ID: needed
+CVE-ID: 2019-9638
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ Version ------- PHP 7.3.1 PHP 7.4.0-dev (cli) Description ------------ This bug is caused by below lines of ext/exif/exif.c file's exif_process_IFD_in_MAKERNOTE method. .... //This condition checks whether maker_note->offset exceeds value_len. if (maker_note->offset >= value_len) { exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset); return FALSE; } dir_start = value_ptr + maker_note->offset; .... .... //Then reads 2 bytes of data. So if maker_note->offset is 1 less than value_len, then last byte read contains uninitialized data. NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); .... Configure Line --------------- ./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear Test script: --------------- <?php $img = fopen("php://memory","r+"); fwrite($img,hex2bin("ffd8e1003c4578696600004d4d002a0000000c000000000002010f00010000000500000026927c0001000000090000002b4e494b4f4e4e696b6f6e00010000")); $s = exif_thumbnail($img); ?> Actual result: -------------- Valgrind Output --------------- Source line numbers are from PHP 7.3.1 export USE_ZEND_ALLOC=0 export ZEND_DONT_UNLOAD_MODULES=1 valgrind bin/php test.php ==3590== Conditional jump or move depends on uninitialised value(s) ==3590== at 0x24D2B3: exif_process_IFD_in_MAKERNOTE (exif.c:3186) ==3590== by 0x24E2E5: exif_process_IFD_TAG (exif.c:3473) ==3590== by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555) ==3590== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3590== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3590== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3590== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3590== by 0x250664: exif_read_from_impl (exif.c:4344) ==3590== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3590== by 0x252045: zif_exif_thumbnail (exif.c:4621) ==3590== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3590== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3590== ==3590== Conditional jump or move depends on uninitialised value(s) ==3590== at 0x24D343: exif_process_IFD_in_MAKERNOTE (exif.c:3191) ==3590== by 0x24E2E5: exif_process_IFD_TAG (exif.c:3473) ==3590== by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555) ==3590== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3590== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3590== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3590== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3590== by 0x250664: exif_read_from_impl (exif.c:4344) ==3590== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3590== by 0x252045: zif_exif_thumbnail (exif.c:4621) ==3590== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3590== by 0x59146D: execute_ex (zend_vm_execute.h:55418)