php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77831 Heap-buffer-overflow in exif_iif_add_value in EXIF
Submitted: 2019-04-02 06:44 UTC Modified: 2019-04-15 06:53 UTC
From: stas@php.net Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.27 OS: *
Private report: No CVE-ID: 2019-11035
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stas@php.net
New email:
PHP Version: OS:

 

 [2019-04-02 06:44 UTC] stas@php.net 
Description:
------------
Another OSS-Fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13938

Backtrace:

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400002cb7a at pc 0x00000071d6bb bp 0x7ffdd43127c0 sp 0x7ffdd43127b8
READ of size 8 at 0x60400002cb7a thread T0
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
    #0 0x71d6ba in exif_iif_add_value php-src/ext/exif/exif.c:2158:23
    #1 0x71144f in exif_iif_add_tag php-src/ext/exif/exif.c:2173:2
    #2 0x718c3f in exif_process_IFD_TAG php-src/ext/exif/exif.c:3530:2
    #3 0x7171e8 in exif_process_IFD_in_JPEG php-src/ext/exif/exif.c:3563:8
    #4 0x716e92 in exif_process_TIFF_in_JPEG php-src/ext/exif/exif.c:3652:2
    #5 0x714b87 in exif_scan_JPEG_header php-src/ext/exif/exif.c:3822:6
    #6 0x714417 in exif_scan_FILE_header php-src/ext/exif/exif.c:4215:8
    #7 0x713df7 in exif_read_from_impl php-src/ext/exif/exif.c:4356:8
    #8 0x710139 in exif_read_from_file php-src/ext/exif/exif.c:4400:8
    #9 0x70e842 in zif_exif_read_data php-src/ext/exif/exif.c:4473:9
    #10 0xcd44c1 in zend_call_function php-src/Zend/zend_execute_API.c:790:4
    #11 0xcd31c9 in _call_user_function_ex php-src/Zend/zend_execute_API.c:627:9
    #12 0xfded5d in fuzzer_call_php_func_zval php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #13 0xfdf0fc in fuzzer_call_php_func php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #14 0xfde05b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #15 0xfe11aa in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:156:5
    #16 0xfe1411 in main /src/libfuzzer/afl/afl_driver.cpp:193:12
    #17 0x7f216285b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    #18 0x4640a8 in _start
0x60400002cb7f is located 0 bytes to the right of 47-byte region [0x60400002cb50,0x60400002cb7f)
allocated by thread T0 here:
    #0 0x4f6f62 in malloc _asan_rtl_
    #1 0xc8518d in __zend_malloc php-src/Zend/zend_alloc.c:2937:14
    #2 0x7168a6 in exif_file_sections_add php-src/ext/exif/exif.c:1988:10
    #3 0x7149f8 in exif_scan_JPEG_header php-src/ext/exif/exif.c:3776:8
    #4 0x714417 in exif_scan_FILE_header php-src/ext/exif/exif.c:4215:8
    #5 0x713df7 in exif_read_from_impl php-src/ext/exif/exif.c:4356:8
    #6 0x710139 in exif_read_from_file php-src/ext/exif/exif.c:4400:8
    #7 0x70e842 in zif_exif_read_data php-src/ext/exif/exif.c:4473:9
    #8 0xcd44c1 in zend_call_function php-src/Zend/zend_execute_API.c:790:4
    #9 0xcd31c9 in _call_user_function_ex php-src/Zend/zend_execute_API.c:627:9
    #10 0xfded5d in fuzzer_call_php_func_zval php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #11 0xfdf0fc in fuzzer_call_php_func php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #12 0xfde05b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #13 0xfe11aa in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:156:5
    #14 0xfe1411 in main /src/libfuzzer/afl/afl_driver.cpp:193:12
    #15 0x7f216285b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-02 06:45 UTC] stas@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-04-02 06:45 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2019-04-02 06:46 UTC] stas@php.net 
Looks like exif_iif_add_tag and exif_iif_add_value do not check the length of the values that are supplied to them. Probably needs to be fixed.
 [2019-04-02 07:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=887a7b571407f7a49a5e7cf1e612d21ef83fedb4
Log: Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value in EXIF
 [2019-04-02 07:13 UTC] stas@php.net
-Status: Open +Status: Closed
 [2019-04-02 15:03 UTC] pollita@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=330f1716df49c0d3474c18b6dcd370a9dcf57422
Log: Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value in EXIF
 [2019-04-15 06:53 UTC] stas@php.net
-Assigned To: +Assigned To: stas -CVE-ID: needed +CVE-ID: 2019-11035
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC