php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #76558 heap-buffer-overflow (READ of size 1) in php_ifd_get32s
Submitted: 2018-07-01 00:48 UTC Modified: 2018-07-16 23:57 UTC
From: geeknik at protonmail dot ch Assigned: kalle (profile)
Status: Duplicate Package: EXIF related
PHP Version: 5.6.36 OS: Debian 9 x64
Private report: No CVE-ID: n/a
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2018-07-01 00:48 UTC] geeknik at protonmail dot ch 
Description:
------------
USE_ZEND_ALLOC=0 ./php-7.2.7 -r '$exif = exif_read_data("http://dtf.pw/php727/poc/630/test003.jpeg"); var_dump($exif);'

Expected result:
----------------
No crash.

Actual result:
--------------
==4598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000121b1 at pc 0x000000e04b2e bp 0x7ffc0d69d5d0 sp 0x7ffc0d69d5c8
READ of size 1 at 0x61d0000121b1 thread T0
    #0 0xe04b2d in php_ifd_get32s /root/php-7.2.7/ext/exif/exif.c:1496:12
    #1 0xe04b2d in php_ifd_get32u /root/php-7.2.7/ext/exif/exif.c:1508
    #2 0xe04b2d in exif_iif_add_value /root/php-7.2.7/ext/exif/exif.c:2170
    #3 0xe04b2d in exif_iif_add_tag /root/php-7.2.7/ext/exif/exif.c:2199
    #4 0xe0b818 in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3543:2
    #5 0xe0bccf in exif_process_IFD_in_MAKERNOTE /root/php-7.2.7/ext/exif/exif.c:3213:8
    #6 0xe0bccf in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3494
    #7 0xe08c15 in exif_process_IFD_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3576:8
    #8 0xe0ac0e in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3534:11
    #9 0xe08c15 in exif_process_IFD_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3576:8
    #10 0xe014c0 in exif_process_TIFF_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3665:2
    #11 0xe014c0 in exif_process_APP1 /root/php-7.2.7/ext/exif/exif.c:3690
    #12 0xe014c0 in exif_scan_JPEG_header /root/php-7.2.7/ext/exif/exif.c:3835
    #13 0xe014c0 in exif_scan_FILE_header /root/php-7.2.7/ext/exif/exif.c:4224
    #14 0xe014c0 in exif_read_from_impl /root/php-7.2.7/ext/exif/exif.c:4365
    #15 0xe014c0 in exif_read_from_stream /root/php-7.2.7/ext/exif/exif.c:4382
    #16 0xdf8f18 in exif_read_from_file /root/php-7.2.7/ext/exif/exif.c:4409:8
    #17 0xdf8f18 in zif_exif_read_data /root/php-7.2.7/ext/exif/exif.c:4482
    #18 0x17c5d34 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.2.7/Zend/zend_vm_execute.h:617:2
    #19 0x15ed419 in execute_ex /root/php-7.2.7/Zend/zend_vm_execute.h:59723:7
    #20 0x15eda9a in zend_execute /root/php-7.2.7/Zend/zend_vm_execute.h:63760:2
    #21 0x14758eb in zend_eval_stringl /root/php-7.2.7/Zend/zend_execute_API.c:1082:4
    #22 0x1475fb9 in zend_eval_stringl_ex /root/php-7.2.7/Zend/zend_execute_API.c:1123:11
    #23 0x1475fb9 in zend_eval_string_ex /root/php-7.2.7/Zend/zend_execute_API.c:1134
    #24 0x18c4aea in do_cli /root/php-7.2.7/sapi/cli/php_cli.c:1044:8
    #25 0x18c2c03 in main /root/php-7.2.7/sapi/cli/php_cli.c:1405:18
    #26 0x7f41337022e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #27 0x427479 in _start (/root/php-7.2.7/sapi/cli/php+0x427479)

0x61d0000121b1 is located 0 bytes to the right of 2353-byte region [0x61d000011880,0x61d0000121b1)
allocated by thread T0 here:
    #0 0x4cf373 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x13f455b in __zend_malloc /root/php-7.2.7/Zend/zend_alloc.c:2829:14
    #2 0xe00a82 in exif_file_sections_add /root/php-7.2.7/ext/exif/exif.c:2014:10
    #3 0xe00a82 in exif_scan_JPEG_header /root/php-7.2.7/ext/exif/exif.c:3789
    #4 0xe00a82 in exif_scan_FILE_header /root/php-7.2.7/ext/exif/exif.c:4224
    #5 0xe00a82 in exif_read_from_impl /root/php-7.2.7/ext/exif/exif.c:4365
    #6 0xe00a82 in exif_read_from_stream /root/php-7.2.7/ext/exif/exif.c:4382
    #7 0xdf8f18 in exif_read_from_file /root/php-7.2.7/ext/exif/exif.c:4409:8
    #8 0xdf8f18 in zif_exif_read_data /root/php-7.2.7/ext/exif/exif.c:4482
    #9 0x17c5d34 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.2.7/Zend/zend_vm_execute.h:617:2
    #10 0x15ed419 in execute_ex /root/php-7.2.7/Zend/zend_vm_execute.h:59723:7
    #11 0x15eda9a in zend_execute /root/php-7.2.7/Zend/zend_vm_execute.h:63760:2
    #12 0x14758eb in zend_eval_stringl /root/php-7.2.7/Zend/zend_execute_API.c:1082:4
    #13 0x1475fb9 in zend_eval_stringl_ex /root/php-7.2.7/Zend/zend_execute_API.c:1123:11
    #14 0x1475fb9 in zend_eval_string_ex /root/php-7.2.7/Zend/zend_execute_API.c:1134
    #15 0x18c4aea in do_cli /root/php-7.2.7/sapi/cli/php_cli.c:1044:8
    #16 0x18c2c03 in main /root/php-7.2.7/sapi/cli/php_cli.c:1405:18
    #17 0x7f41337022e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/php-7.2.7/ext/exif/exif.c:1496:12 in php_ifd_get32s

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-02 03:02 UTC] stas@php.net
-PHP Version: 7.2.7 +PHP Version: 5.6.36 -Assigned To: +Assigned To: kalle -CVE-ID: +CVE-ID: needed
 [2018-07-02 05:26 UTC] stas@php.net 
Looks like the fix for bug #76557 also fixes this one. Please verify.
 [2018-07-03 05:46 UTC] stas@php.net
-Status: Assigned +Status: Duplicate
 [2018-07-03 05:46 UTC] stas@php.net 
Duplicate of bug # 76557, same fix.
 [2018-07-16 23:57 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: n/a
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 14:00:01 2025 UTC