|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesexif.c_line_2827 (last revision 2014-12-05 08:37 UTC by sjh21a at gmail dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-12-04 23:36 UTC] sjh21a at gmail dot com
[2016-08-05 08:03 UTC] kalle@php.net
[2016-08-05 08:03 UTC] kalle@php.net
-Status: Open
+Status: Closed
[2016-08-05 08:03 UTC] kalle@php.net
-Assigned To:
+Assigned To: kalle
[2016-08-05 08:03 UTC] kalle@php.net
[2016-10-10 11:17 UTC] krakjoe@php.net
[2017-01-12 09:12 UTC] krakjoe@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 12:01:29 2024 UTC |
Description: ------------ PHP 5.6.2 Exif Header component value check error this bug is exif_process_IFD_TAG() function of ext/exif.c in exif header, get a components value as follows 2818: components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel); dir_entry+4 exists in jpg or tiff files, attacker can modify this all. look at the below code, a wrong check to components value. 2827: if (components < 0) { 2828: exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); 2829: return FALSE; 2830: } only check to components value is negative, doesn't check to 0 value if components value was 0, problem occurs in the below code. 2832: byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; above calculation result are being 0, this can bypass to below code. 2833: if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) { 2834: exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); 2835: return FALSE; 2836: } effect: an attacker may be free to any memory area, if do not use to zend_mm, use after free has occurred. set the memory to be free from jpg file. enable zend_mm root@ubuntu:~/x# php x.php crash.jpg ; gdb -q php core Segmentation fault (core dumped) Reading symbols from php...done. [New LWP 9998] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Core was generated by `php x.php crash.jpg'. Program terminated with signal SIGSEGV, Segmentation fault. #0 _zend_mm_free_int (heap=0x887ea38, p=0x41414141) at /root/php-5.6.2/Zend/zend_alloc.c:2076 ^^^^^^^^^^^^^ 2076 size = ZEND_MM_BLOCK_SIZE(mm_block); (gdb) disable zend_mm : # export USE_ZEND_ALLOC=0 root@ubuntu:~/x# php x.php crash.jpg ; gdb -q php core Segmentation fault (core dumped) Reading symbols from php...done. [New LWP 10016] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Core was generated by `php x.php crash.jpg'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __GI___libc_free (mem=0x41414141) at malloc.c:2929 ^^^^^^^^^^^^^^ 2929 malloc.c: No such file or directory. (gdb) Test script: --------------- root@ubuntu:~/x# cat x.php <? error_reporting(0); exif_read_data($argv[1]); exif_thumbnail($argv[1]); ?> and below link is crash image file https://www.dropbox.com/s/hius8be0r9h8hk0/trig.jpg?dl=0