PHP :: Bug #79046 :: NaN to int cast undefined behavior in exif

Bug #79046	NaN to int cast undefined behavior in exif
Submitted:	2019-12-30 03:37 UTC	Modified:	2019-12-30 15:29 UTC
From:	wxhusst at gmail dot com	Assigned:
Status:	Closed	Package:	EXIF related
PHP Version:	7.4.1	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	wxhusst at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2019-12-30 03:37 UTC] wxhusst at gmail dot com

Description:
------------
exif_read_data may lead to integer overflow

raven@ubuntu ~/p/s/cli (master)> 
./php -r 'exif_read_data("/home/raven/php-src/crash-7cd841466926b2ce76d75b379568282a0fc8914b", "IFD0");'
/home/raven/php-src/ext/exif/exif.c:1677:10: runtime error: nan is outside the range of representable values of type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/raven/php-src/ext/exif/exif.c:1677:10 in

sorry,  no backtrace for gdb

the file 
https://github.com/loveraven42/poc/blob/master/crash-7cd841466926b2ce76d75b379568282a0fc8914b

Test script:
---------------
./php -r 'exif_read_data("/home/raven/php-src/crash-7cd841466926b2ce76d75b379568282a0fc8914b", "IFD0");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-12-30 15:29 UTC] nikic@php.net

-Summary: UndefinedBehaviorSanitizer: undefined-behavior +Summary: NaN to int cast undefined behavior in exif -Status: Open +Status: Verified -Type: Security +Type: Bug

[2019-12-30 15:29 UTC] nikic@php.net

This was partially addressed in https://github.com/php/php-src/commit/dd997a40d0be9b03973b1317041f92ad9582237f, but the NaN case wasn't handled.

Reclassifying as normal bug as this UBSan violation does not result in an actual miscompile.

[2019-12-30 16:24 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1537e506edb48790c72a93e1d8505ef2c3e4dd3
Log: Fixed bug #79046

[2019-12-30 16:24 UTC] nikic@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 00:00:01 2025 UTC