php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78256 heap-buffer-overflow on exif_process_user_comment
Submitted: 2019-07-05 21:22 UTC Modified: 2019-07-29 20:21 UTC
From: orestiskourides at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.30 OS: Linux
Private report: No CVE-ID: 2019-11042
 [2019-07-05 21:22 UTC] orestiskourides at gmail dot com
Description:
------------
==20571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000003da3 at pc 0x00000044fb59 bp 0x7ffce7700b90 sp 0x7ffce7700318
READ of size 2 at 0x607000003da3 thread T0
SCARINESS: 14 (2-byte-read-heap-buffer-overflow)
    #0 0x44fb58 in __interceptor_memcmp /tmp/tmp.XYTE7P6bCb/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:837:7
    #1 0x840427 in exif_process_user_comment /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3018:9
    #2 0x83e539 in exif_process_IFD_TAG /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3403:36
    #3 0x83c276 in exif_process_IFD_in_JPEG /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3577:8
    #4 0x83bc96 in exif_process_TIFF_in_JPEG /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3666:2
    #5 0x83b617 in exif_process_APP1 /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3691:2
    #6 0x8381fa in exif_scan_JPEG_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3836:6
    #7 0x837033 in exif_scan_FILE_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4231:8
    #8 0x836bba in exif_read_from_impl /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4372:8
    #9 0x82ed22 in exif_read_from_stream /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4389:8
    #10 0x82c4cf in zif_exif_read_data /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4479:9
    #11 0x15177ff in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:690:2
    #12 0x12f2c6d in execute_ex /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:55334:7
    #13 0x12f3fda in zend_execute /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:60881:2
    #14 0x10b4654 in zend_execute_scripts /home/ninja/php/php-7.3.7_asan/Zend/zend.c:1568:4
    #15 0xe07a9f in php_execute_script /home/ninja/php/php-7.3.7_asan/main/main.c:2630:14
    #16 0x1743ad7 in do_cli /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:997:5
    #17 0x1740b1b in main /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:1389:18
    #18 0x7f372806cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #19 0x434da9 in _start (/home/ninja/php/php-7.3.7_asan/sapi/cli/php+0x434da9)

0x607000003da3 is located 0 bytes to the right of 67-byte region [0x607000003d60,0x607000003da3)
allocated by thread T0 here:
    #0 0x4e0753 in malloc /tmp/tmp.XYTE7P6bCb/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0xf96b94 in __zend_malloc /home/ninja/php/php-7.3.7_asan/Zend/zend_alloc.c:2903:14
    #2 0xf90e35 in _emalloc /home/ninja/php/php-7.3.7_asan/Zend/zend_alloc.c:2496:11
    #3 0xf96809 in _safe_emalloc /home/ninja/php/php-7.3.7_asan/Zend/zend_alloc.c:2558:9
    #4 0x83b304 in exif_file_sections_add /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:1989:10
    #5 0x837b8b in exif_scan_JPEG_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3790:8
    #6 0x837033 in exif_scan_FILE_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4231:8
    #7 0x836bba in exif_read_from_impl /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4372:8
    #8 0x82ed22 in exif_read_from_stream /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4389:8
    #9 0x82c4cf in zif_exif_read_data /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4479:9
    #10 0x15177ff in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:690:2
    #11 0x12f2c6d in execute_ex /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:55334:7
    #12 0x12f3fda in zend_execute /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:60881:2
    #13 0x10b4654 in zend_execute_scripts /home/ninja/php/php-7.3.7_asan/Zend/zend.c:1568:4
    #14 0xe07a9f in php_execute_script /home/ninja/php/php-7.3.7_asan/main/main.c:2630:14
    #15 0x1743ad7 in do_cli /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:997:5
    #16 0x1740b1b in main /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:1389:18
    #17 0x7f372806cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/tmp.XYTE7P6bCb/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:837:7 in __interceptor_memcmp


Test script:
---------------
<?
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e100424578696600004d4d002a0000000c303030300002303030300000000800000030928630300000000800000032303030303030303030303030554e49434f444500"));
$test=exif_read_data($img, 'COMMENT', FALSE, FALSE);
?>


Expected result:
----------------
No crash

Actual result:
--------------
==20618== Memcheck, a memory error detector
==20618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20618== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20618== Command: /home/ninja/php/php-7.3.7/sapi/cli/php test.php
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5F0E19: zend_register_ini_entries (zend_ini.c:261)
==20618==    by 0x57945D: php_module_startup (main.c:2275)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x5DF29D: zend_register_internal_class (zend_API.c:2775)
==20618==    by 0x5DF29D: zend_register_internal_class_ex (zend_API.c:2747)
==20618==    by 0x5F74FA: zend_register_default_exception (zend_exceptions.c:827)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E151A: zval_make_interned_string (zend_API.c:3697)
==20618==    by 0x5E151A: zend_declare_property_ex (zend_API.c:3723)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E1A1F: zend_declare_property_string (zend_API.c:3840)
==20618==    by 0x5F7543: zend_register_default_exception (zend_exceptions.c:831)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E16FD: zend_declare_property_ex (zend_API.c:3768)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E1A1F: zend_declare_property_string (zend_API.c:3840)
==20618==    by 0x5F7564: zend_register_default_exception (zend_exceptions.c:832)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E16FD: zend_declare_property_ex (zend_API.c:3768)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E192A: zend_declare_property_long (zend_API.c:3822)
==20618==    by 0x5F7582: zend_register_default_exception (zend_exceptions.c:833)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E16FD: zend_declare_property_ex (zend_API.c:3768)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E18D8: zend_declare_property_null (zend_API.c:3804)
==20618==    by 0x5F759D: zend_register_default_exception (zend_exceptions.c:834)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E1763: zend_declare_property_ex (zend_API.c:3780)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E1A1F: zend_declare_property_string (zend_API.c:3840)
==20618==    by 0x5F76E9: zend_register_default_exception (zend_exceptions.c:849)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E1B6F: zval_make_interned_string (zend_API.c:3697)
==20618==    by 0x5E1B6F: zend_declare_class_constant_ex (zend_API.c:3869)
==20618==    by 0x5E1D44: zend_declare_class_constant (zend_API.c:3905)
==20618==    by 0x5E1EB5: zend_declare_class_constant_stringl (zend_API.c:3952)
==20618==    by 0x41CAA4: date_register_classes (php_date.c:2114)
==20618==    by 0x41CAA4: zm_startup_date (php_date.c:877)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DF445: do_register_internal_class (zend_API.c:2731)
==20618==    by 0x4E0FEC: zm_startup_reflection (php_reflection.c:6636)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E1030: zm_startup_reflection (php_reflection.c:6639)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E11E6: zm_startup_reflection (php_reflection.c:6660)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E126D: zm_startup_reflection (php_reflection.c:6666)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E144B: zm_startup_reflection (php_reflection.c:6687)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E157A: zm_startup_reflection (php_reflection.c:6701)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E1622: zm_startup_reflection (php_reflection.c:6708)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E1736: zm_startup_reflection (php_reflection.c:6720)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E17BD: zm_startup_reflection (php_reflection.c:6726)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E4CD1: spl_register_std_class (spl_functions.c:44)
==20618==    by 0x4F06F9: zm_startup_spl_array (spl_array.c:2002)
==20618==    by 0x4E4ABD: zm_startup_spl (php_spl.c:998)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601756: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601756: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601756: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601756: zend_new_interned_string_request (zend_string.c:224)
==20618==    by 0x5B1730: zval_make_interned_string (zend_compile.c:473)
==20618==    by 0x5B1730: zend_insert_literal (zend_compile.c:485)
==20618==    by 0x5B1730: zend_add_literal (zend_compile.c:505)
==20618==    by 0x5B1730: zend_emit_op (zend_compile.c:2121)
==20618==    by 0x5B9E1B: zend_compile_call (zend_compile.c:4042)
==20618==    by 0x5B4865: zend_compile_assign (zend_compile.c:2980)
==20618==    by 0x5BD0D1: zend_compile_stmt (zend_compile.c:8309)
==20618==    by 0x5C3610: zend_compile_top_stmt (zend_compile.c:8195)
==20618==    by 0x5C35F9: zend_compile_top_stmt (zend_compile.c:8190)
==20618==    by 0x59CC97: zend_compile (zend_language_scanner.l:602)
==20618==    by 0x59CB65: compile_file (zend_language_scanner.l:636)
==20618==    by 0x5D8215: zend_execute_scripts (zend.c:1562)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601756: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601756: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601756: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601756: zend_new_interned_string_request (zend_string.c:224)
==20618==    by 0x5B1730: zval_make_interned_string (zend_compile.c:473)
==20618==    by 0x5B1730: zend_insert_literal (zend_compile.c:485)
==20618==    by 0x5B1730: zend_add_literal (zend_compile.c:505)
==20618==    by 0x5B1730: zend_emit_op (zend_compile.c:2121)
==20618==    by 0x5B9E1B: zend_compile_call (zend_compile.c:4042)
==20618==    by 0x5BD0D1: zend_compile_stmt (zend_compile.c:8309)
==20618==    by 0x5C3610: zend_compile_top_stmt (zend_compile.c:8195)
==20618==    by 0x5C35F9: zend_compile_top_stmt (zend_compile.c:8190)
==20618==    by 0x59CC97: zend_compile (zend_language_scanner.l:602)
==20618==    by 0x59CB65: compile_file (zend_language_scanner.l:636)
==20618==    by 0x5D8215: zend_execute_scripts (zend.c:1562)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x6017FA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x6017FA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x6017FA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x6017FA: zend_new_interned_string_request (zend_string.c:230)
==20618==    by 0x5B5391: zval_make_interned_string (zend_compile.c:473)
==20618==    by 0x5B5391: zend_try_compile_cv (zend_compile.c:2534)
==20618==    by 0x5B5B22: zend_compile_simple_var (zend_compile.c:2606)
==20618==    by 0x5B5B22: zend_compile_var (zend_compile.c:8450)
==20618==    by 0x5B6DA6: zend_compile_args (zend_compile.c:3211)
==20618==    by 0x5B6F2B: zend_compile_call_common (zend_compile.c:3314)
==20618==    by 0x5B9E3C: zend_compile_call (zend_compile.c:4045)
==20618==    by 0x5BD0D1: zend_compile_stmt (zend_compile.c:8309)
==20618==    by 0x5C3610: zend_compile_top_stmt (zend_compile.c:8195)
==20618==    by 0x5C35F9: zend_compile_top_stmt (zend_compile.c:8190)
==20618==    by 0x59CC97: zend_compile (zend_language_scanner.l:602)
==20618==    by 0x59CB65: compile_file (zend_language_scanner.l:636)
==20618==    by 0x5D8215: zend_execute_scripts (zend.c:1562)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 

Warning: exif_read_data(): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /tmp/test.php on line 4

Warning: exif_read_data(): Process tag(x9286=UserComment): Illegal format code 0x3030, suppose BYTE in /tmp/test.php on line 4
==20618== Invalid read of size 2
==20618==    at 0x4D24B7: exif_process_user_comment (exif.c:3018)
==20618==    by 0x4D24B7: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618==  Address 0x64593b2 is 66 bytes inside a block of size 67 alloc'd
==20618==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20618==    by 0x5AF218: __zend_malloc (zend_alloc.c:2903)
==20618==    by 0x4CEE78: exif_file_sections_add (exif.c:1989)
==20618==    by 0x4CEE78: exif_scan_JPEG_header (exif.c:3790)
==20618==    by 0x4CEE78: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CEE78: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CEE78: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x4D24BC: exif_process_user_comment (exif.c:3018)
==20618==    by 0x4D24BC: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Invalid read of size 2
==20618==    at 0x4D24C9: exif_process_user_comment (exif.c:3022)
==20618==    by 0x4D24C9: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618==  Address 0x64593b2 is 66 bytes inside a block of size 67 alloc'd
==20618==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20618==    by 0x5AF218: __zend_malloc (zend_alloc.c:2903)
==20618==    by 0x4CEE78: exif_file_sections_add (exif.c:1989)
==20618==    by 0x4CEE78: exif_scan_JPEG_header (exif.c:3790)
==20618==    by 0x4CEE78: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CEE78: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CEE78: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x4D24D1: exif_process_user_comment (exif.c:3022)
==20618==    by 0x4D24D1: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 

Warning: exif_read_data(): Illegal IFD offset in /tmp/test.php on line 4

Warning: exif_read_data(): File structure corrupted in /tmp/test.php on line 4

Warning: exif_read_data(): Invalid JPEG file in /tmp/test.php on line 4
==20618== 
==20618== HEAP SUMMARY:
==20618==     in use at exit: 0 bytes in 0 blocks
==20618==   total heap usage: 7,068 allocs, 7,068 frees, 1,596,251 bytes allocated
==20618== 
==20618== All heap blocks were freed -- no leaks are possible
==20618== 
==20618== For counts of detected and suppressed errors, rerun with: -v
==20618== Use --track-origins=yes to see where uninitialised values come from
==20618== ERROR SUMMARY: 173 errors from 25 contexts (suppressed: 0 from 0)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-08 00:20 UTC] stas@php.net
-PHP Version: 7.3.7 +PHP Version: 7.1.30 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: 2019-11042
 [2019-07-08 00:20 UTC] stas@php.net
This should fix it:

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index e04290376c..7df5c019c1 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3015,11 +3015,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                        /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
                         * since we have no encoding support for the BOM yet we skip that.
                         */
-                       if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+                       if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
                                decode = "UCS-2BE";
                                szValuePtr = szValuePtr+2;
                                ByteCount -= 2;
-                       } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+                       } else if (!ByteCount >= 2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
                                decode = "UCS-2LE";
                                szValuePtr = szValuePtr+2;
                                ByteCount -= 2;

Please verify.
 [2019-07-13 05:31 UTC] orestiskourides at gmail dot com
fixed, no crash, all good ;)
 [2019-07-29 20:21 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-07-29 20:21 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/

Thank you for the report, and for helping us make PHP better.


 [2019-07-30 07:17 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e648fa4699e8d072db6db34fcc09826e8127fab8
Log: Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 08:01:29 2024 UTC