php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34704 Infinite recursion due to corrupt JPEG
Submitted: 2005-10-02 09:07 UTC Modified: 2005-10-09 16:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: t dot starling at physics dot unimelb dot edu dot au Assigned: helly (profile)
Status: Closed Package: EXIF related
PHP Version: 5CVS, 6CVS, 4CVS (2005-10-02) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: t dot starling at physics dot unimelb dot edu dot au
New email:
PHP Version: OS:

 

 [2005-10-02 09:07 UTC] t dot starling at physics dot unimelb dot edu dot au
Description:
------------
An image, seen in the wild and probably generated non-maliciously, reliably causes exif_read_data() to go into infinite recursion.

I've fixed the problem and created a patch against PHP 4.4.0:

http://wikimedia.org/~tstarling/php/exif_IFD2.patch

The test image is here:

http://wikimedia.org/~tstarling/php/Carcraftbuckett.jpg

The problem was an assumption that images would follow the spec and include a maximum of 2 IFD headers, IFD0 for the image and IFD1 for the thumbnail. The test image probably has the "next IFD offset" field pointing back to the same structure, creating an infinite loop. I haven't studied the test image in detail, but my patch allows PHP's Exif functions to read it without segfaulting, which is good enough for me.

I decided to ignore any further IFDs beyond the first two rather than issue an error, for compatibility with possible future revisions of the Exif spec.

-- Tim Starling (MediaWiki developer)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-02 13:05 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-10-02 21:33 UTC] t dot starling at physics dot unimelb dot edu dot au
There are no significant changes between 4.4.0 and HEAD, you should be able to forward-port it without any trouble. See

http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.173&r2=1.118.2.37.2.1&ty=h

My patch comes in at around line 3039, as you can see there are only documentation changes.

This patch is now in production on wikipedia.org and related websites. I for one don't want to see my website get DoSed because of this.
 [2005-10-02 22:13 UTC] sniper@php.net
Assigned to the "maintainer".

 [2005-10-09 16:43 UTC] helly@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed for 4.4.1, 5.0.6, 5.1.0, HEAD
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC