|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-03-03 07:49 UTC] stas@php.net
[2019-03-04 07:38 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2019-03-04 07:38 UTC] stas@php.net
[2019-03-12 19:56 UTC] stas@php.net
-CVE-ID:
+CVE-ID: 2019-9639
[2019-07-02 15:21 UTC] d at gmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Oct 29 17:00:02 2025 UTC |
Description: ------------ exif_process_IFD_in_MAKERNOTE method of ext/exif/exif.c file has this variable declaration. int data_len; //It is not initialized on declaration. Value is set to data_len variable in below switch case. But a value is not set to data_len variable, in default and MN_OFFSET_NORMAL cases ... switch (maker_note->offset_mode) { case MN_OFFSET_MAKER: offset_base = value_ptr; data_len = value_len; break; case MN_OFFSET_GUESS: ... offset_base = value_ptr + offset_diff; data_len = value_len - offset_diff; break; default: case MN_OFFSET_NORMAL: break; } ..... PHP Versions ------------ PHP 8.0.0-dev (cli) (built: Feb 22 2019 18:33:06) PHP 7.3.2 (cli) (built: Feb 23 2019 18:07:24) ( NTS DEBUG ) Configure Line -------------- ./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear Test script: --------------- <?php $img = fopen("php://memory","r+"); fwrite($img,hex2bin("ffd8e1003c4578696600004d4d002a0000000c000000000002010f00010000000500000026927c0001000000120000002b4e494b4f4e4e696b6f6e00000000010000000100000005")); $s = exif_thumbnail($img); ?> Actual result: -------------- Valgrind --------- export USE_ZEND_ALLOC=0 export ZEND_DONT_UNLOAD_MODULES=1 valgrind bin/php test.php Source lines are from PHP 7.3.2. ==12021== Conditional jump or move depends on uninitialised value(s) ==12021== at 0x486484: exif_process_IFD_TAG (exif.c:3262) ==12021== by 0x486125: exif_process_IFD_in_MAKERNOTE (exif.c:3192) ==12021== by 0x4872CE: exif_process_IFD_TAG (exif.c:3473) ==12021== by 0x4876F0: exif_process_IFD_in_JPEG (exif.c:3555) ==12021== by 0x487A68: exif_process_TIFF_in_JPEG (exif.c:3644) ==12021== by 0x487B62: exif_process_APP1 (exif.c:3669) ==12021== by 0x488187: exif_scan_JPEG_header (exif.c:3814) ==12021== by 0x48942D: exif_scan_FILE_header (exif.c:4203) ==12021== by 0x489EB4: exif_read_from_impl (exif.c:4344) ==12021== by 0x489F2F: exif_read_from_stream (exif.c:4361) ==12021== by 0x48BA43: zif_exif_thumbnail (exif.c:4621) ==12021== by 0x7E5579: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)