PHP :: Bug #44388 :: exif_read_data() causes segfault on a certain image

Bug #44388	exif_read_data() causes segfault on a certain image
Submitted:	2008-03-10 06:03 UTC	Modified:	2008-03-12 17:33 UTC
From:	jon at tgpsolutions dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.5	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jon at tgpsolutions dot com
New email:
PHP Version:		OS:

New Comment:

[2008-03-10 06:03 UTC] jon at tgpsolutions dot com

Description:
------------
PHP segfaults trying to read the EXIF data for this image:

http://jon.tgpsolutions.com/exif_read_data-bug.jpg

I hit this bug initially on PHP 5.2.1 (the version in Ubuntu 7.04), was able to reproduce on PHP 5.2.3-1ubuntu6.3 (the version in Ubuntu 7.10), and was able to reproduce again on PHP 5.2.5 compiled from source.  

#43630 looks similar to this bug, but it was closed as Bogus with the explaination "This simply tells you that your EXIF information is broken" - maybe the submitter wasn't clear that PHP segfaults after displaying the warnings?  The sample image isn't available anymore, so I can't be sure if PHP segfaults or not in their case.

Reproduce code:
---------------
test.php:
<?php $exif = exif_read_data('exif_read_data-bug.jpg'); ?>

Expected result:
----------------
$exif contains EXIF data for the image.

Actual result:
--------------
jon@interceptor:~$ php test.php
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(xA92D=UndefinedTa): Illegal format code 0x4320, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(xA92D=UndefinedTa): Illegal pointer offset(x74686769 + x7279706F = xE6E1D7D8 > x5FE9) in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x3220=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x3220=UndefinedTa): Illegal pointer offset(x43206565 < x406D2B12) in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x6168=UndefinedTa): Illegal format code 0x206E, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x6168=UndefinedTa): Illegal pointer offset(x72694672 < x406D2B1E) in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x2065=UndefinedTa): Illegal format code 0x6D49, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x2065=UndefinedTa): Illegal pointer offset(xE1FF2967 + x6E696761 = x506890C8 > x5FE9) in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(xF15F=UndefinedTa): Illegal format code 0x7845, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(xF15F=UndefinedTa): Illegal pointer offset(x2A4949 + x6669 = x2AAFB2 > x5FE9) in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x4C69=UndefinedTa): Illegal format code 0x0000, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x0000=UndefinedTa): Illegal format code 0x0000, suppose BYTE in /home/jon/test.php on line 1

... above line repeated many more times...

PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x0000=UndefinedTa): Illegal format code 0x0000, suppose BYTE in /home/jon/test.php on line 1
PHP Warning:  exif_read_data(exif_read_data-bug.jpg): Process tag(x0000=UndefinedTa): Illegal format code 0x0000, suppose BYTE in /home/jon/test.php on line 1
Segmentation fault
jon@interceptor:~$

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-10 09:44 UTC] scottmac@php.net

Large backtrace follows.

#0  0x00082ab1 in php_ifd_get16u (value=0x8bf06987, motorola_intel=0) at /Users/scott/dev/php5_3/ext/exif/exif.c:1088
#1  0x00083cfa in exif_iif_add_value (image_info=0xbffff344, section_index=13, name=0xbfffec4c "ModeArray", tag=1, format=3, length=46, value=0x8bf06987, motorola_intel=0) at /Users/scott/dev/php5_3/ext/exif/exif.c:1754
#2  0x00083e91 in exif_iif_add_tag (image_info=0xbffff344, section_index=13, name=0xbfffec4c "ModeArray", tag=1, format=3, length=46, value=0x8bf06987) at /Users/scott/dev/php5_3/ext/exif/exif.c:1804
#3  0x00086885 in exif_process_IFD_TAG (ImageInfo=0xbffff344, dir_entry=0x58ca8e "\001", offset_base=0x8bf065ed <Address 0x8bf065ed out of bounds>, IFDlength=24553, displacement=684, section_index=13, ReadNextIFD=0, tag_table=0x43fd60) at /Users/scott/dev/php5_3/ext/exif/exif.c:3124
#4  0x0008623b in exif_process_IFD_in_MAKERNOTE (ImageInfo=0xbffff344, value_ptr=0x58c7e0 "t", value_len=8340, offset_base=0x8bf065ed <Address 0x8bf065ed out of bounds>, IFDlength=24553, displacement=684) at /Users/scott/dev/php5_3/ext/exif/exif.c:2807
#5  0x000871c5 in exif_process_IFD_TAG (ImageInfo=0xbffff344, dir_entry=0x58b416 "|?\a", offset_base=0x58664c "II*", IFDlength=24553, displacement=684, section_index=7, ReadNextIFD=1, tag_table=0x43f440) at /Users/scott/dev/php5_3/ext/exif/exif.c:3078
#6  0x00087480 in exif_process_IFD_in_JPEG (ImageInfo=0xbffff344, dir_start=0x58b36c "\034", offset_base=0x58664c "II*", IFDlength=24553, displacement=684, section_index=7) at /Users/scott/dev/php5_3/ext/exif/exif.c:3152
#7  0x000872f7 in exif_process_IFD_TAG (ImageInfo=0xbffff344, dir_entry=0x58b317 "i?\004", offset_base=0x58664c "II*", IFDlength=24553, displacement=684, section_index=3, ReadNextIFD=1, tag_table=0x43f440) at /Users/scott/dev/php5_3/ext/exif/exif.c:3115
#8  0x00087480 in exif_process_IFD_in_JPEG (ImageInfo=0xbffff344, dir_start=0x58b2b5 "\t", offset_base=0x58664c "II*", IFDlength=24553, displacement=684, section_index=3) at /Users/scott/dev/php5_3/ext/exif/exif.c:3152
#9  0x00087750 in exif_process_TIFF_in_JPEG (ImageInfo=0xbffff344, CharBuf=0x58664c "II*", length=24553, displacement=684) at /Users/scott/dev/php5_3/ext/exif/exif.c:3225
#10 0x0008786a in exif_process_APP1 (ImageInfo=0xbffff344, CharBuf=0x586644 "_?Exif", length=24561, displacement=676) at /Users/scott/dev/php5_3/ext/exif/exif.c:3250

[2008-03-12 17:33 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC