PHP :: Sec Bug #78256 :: heap-buffer-overflow on exif_process_user

Sec Bug #78256	heap-buffer-overflow on exif_process_user_comment
Submitted:	2019-07-05 21:22 UTC	Modified:	2019-07-29 20:21 UTC
From:	orestiskourides at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	EXIF related
PHP Version:	7.1.30	OS:	Linux
Private report:	No	CVE-ID:	2019-11042

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	orestiskourides at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2019-07-05 21:22 UTC] orestiskourides at gmail dot com

Description:
------------
==20571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000003da3 at pc 0x00000044fb59 bp 0x7ffce7700b90 sp 0x7ffce7700318
READ of size 2 at 0x607000003da3 thread T0
SCARINESS: 14 (2-byte-read-heap-buffer-overflow)
    #0 0x44fb58 in __interceptor_memcmp /tmp/tmp.XYTE7P6bCb/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:837:7
    #1 0x840427 in exif_process_user_comment /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3018:9
    #2 0x83e539 in exif_process_IFD_TAG /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3403:36
    #3 0x83c276 in exif_process_IFD_in_JPEG /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3577:8
    #4 0x83bc96 in exif_process_TIFF_in_JPEG /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3666:2
    #5 0x83b617 in exif_process_APP1 /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3691:2
    #6 0x8381fa in exif_scan_JPEG_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3836:6
    #7 0x837033 in exif_scan_FILE_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4231:8
    #8 0x836bba in exif_read_from_impl /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4372:8
    #9 0x82ed22 in exif_read_from_stream /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4389:8
    #10 0x82c4cf in zif_exif_read_data /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4479:9
    #11 0x15177ff in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:690:2
    #12 0x12f2c6d in execute_ex /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:55334:7
    #13 0x12f3fda in zend_execute /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:60881:2
    #14 0x10b4654 in zend_execute_scripts /home/ninja/php/php-7.3.7_asan/Zend/zend.c:1568:4
    #15 0xe07a9f in php_execute_script /home/ninja/php/php-7.3.7_asan/main/main.c:2630:14
    #16 0x1743ad7 in do_cli /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:997:5
    #17 0x1740b1b in main /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:1389:18
    #18 0x7f372806cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #19 0x434da9 in _start (/home/ninja/php/php-7.3.7_asan/sapi/cli/php+0x434da9)

0x607000003da3 is located 0 bytes to the right of 67-byte region [0x607000003d60,0x607000003da3)
allocated by thread T0 here:
    #0 0x4e0753 in malloc /tmp/tmp.XYTE7P6bCb/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0xf96b94 in __zend_malloc /home/ninja/php/php-7.3.7_asan/Zend/zend_alloc.c:2903:14
    #2 0xf90e35 in _emalloc /home/ninja/php/php-7.3.7_asan/Zend/zend_alloc.c:2496:11
    #3 0xf96809 in _safe_emalloc /home/ninja/php/php-7.3.7_asan/Zend/zend_alloc.c:2558:9
    #4 0x83b304 in exif_file_sections_add /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:1989:10
    #5 0x837b8b in exif_scan_JPEG_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:3790:8
    #6 0x837033 in exif_scan_FILE_header /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4231:8
    #7 0x836bba in exif_read_from_impl /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4372:8
    #8 0x82ed22 in exif_read_from_stream /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4389:8
    #9 0x82c4cf in zif_exif_read_data /home/ninja/php/php-7.3.7_asan/ext/exif/exif.c:4479:9
    #10 0x15177ff in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:690:2
    #11 0x12f2c6d in execute_ex /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:55334:7
    #12 0x12f3fda in zend_execute /home/ninja/php/php-7.3.7_asan/Zend/zend_vm_execute.h:60881:2
    #13 0x10b4654 in zend_execute_scripts /home/ninja/php/php-7.3.7_asan/Zend/zend.c:1568:4
    #14 0xe07a9f in php_execute_script /home/ninja/php/php-7.3.7_asan/main/main.c:2630:14
    #15 0x1743ad7 in do_cli /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:997:5
    #16 0x1740b1b in main /home/ninja/php/php-7.3.7_asan/sapi/cli/php_cli.c:1389:18
    #17 0x7f372806cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/tmp.XYTE7P6bCb/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:837:7 in __interceptor_memcmp


Test script:
---------------
<?
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e100424578696600004d4d002a0000000c303030300002303030300000000800000030928630300000000800000032303030303030303030303030554e49434f444500"));
$test=exif_read_data($img, 'COMMENT', FALSE, FALSE);
?>


Expected result:
----------------
No crash

Actual result:
--------------
==20618== Memcheck, a memory error detector
==20618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20618== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20618== Command: /home/ninja/php/php-7.3.7/sapi/cli/php test.php
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5F0E19: zend_register_ini_entries (zend_ini.c:261)
==20618==    by 0x57945D: php_module_startup (main.c:2275)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x5DF29D: zend_register_internal_class (zend_API.c:2775)
==20618==    by 0x5DF29D: zend_register_internal_class_ex (zend_API.c:2747)
==20618==    by 0x5F74FA: zend_register_default_exception (zend_exceptions.c:827)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E151A: zval_make_interned_string (zend_API.c:3697)
==20618==    by 0x5E151A: zend_declare_property_ex (zend_API.c:3723)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E1A1F: zend_declare_property_string (zend_API.c:3840)
==20618==    by 0x5F7543: zend_register_default_exception (zend_exceptions.c:831)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E16FD: zend_declare_property_ex (zend_API.c:3768)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E1A1F: zend_declare_property_string (zend_API.c:3840)
==20618==    by 0x5F7564: zend_register_default_exception (zend_exceptions.c:832)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E16FD: zend_declare_property_ex (zend_API.c:3768)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E192A: zend_declare_property_long (zend_API.c:3822)
==20618==    by 0x5F7582: zend_register_default_exception (zend_exceptions.c:833)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E16FD: zend_declare_property_ex (zend_API.c:3768)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E18D8: zend_declare_property_null (zend_API.c:3804)
==20618==    by 0x5F759D: zend_register_default_exception (zend_exceptions.c:834)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E1763: zend_declare_property_ex (zend_API.c:3780)
==20618==    by 0x5E188B: zend_declare_property (zend_API.c:3793)
==20618==    by 0x5E1A1F: zend_declare_property_string (zend_API.c:3840)
==20618==    by 0x5F76E9: zend_register_default_exception (zend_exceptions.c:849)
==20618==    by 0x61339A: zend_register_default_classes (zend_default_classes.c:32)
==20618==    by 0x5EC073: zm_startup_core (zend_builtin_functions.c:307)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5E1B6F: zval_make_interned_string (zend_API.c:3697)
==20618==    by 0x5E1B6F: zend_declare_class_constant_ex (zend_API.c:3869)
==20618==    by 0x5E1D44: zend_declare_class_constant (zend_API.c:3905)
==20618==    by 0x5E1EB5: zend_declare_class_constant_stringl (zend_API.c:3952)
==20618==    by 0x41CAA4: date_register_classes (php_date.c:2114)
==20618==    by 0x41CAA4: zm_startup_date (php_date.c:877)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DF445: do_register_internal_class (zend_API.c:2731)
==20618==    by 0x4E0FEC: zm_startup_reflection (php_reflection.c:6636)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E1030: zm_startup_reflection (php_reflection.c:6639)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E11E6: zm_startup_reflection (php_reflection.c:6660)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E126D: zm_startup_reflection (php_reflection.c:6666)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E144B: zm_startup_reflection (php_reflection.c:6687)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E157A: zm_startup_reflection (php_reflection.c:6701)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E1622: zm_startup_reflection (php_reflection.c:6708)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E1736: zm_startup_reflection (php_reflection.c:6720)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E17BD: zm_startup_reflection (php_reflection.c:6726)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601CBA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601CBA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601CBA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601CBA: zend_new_interned_string_permanent (zend_string.c:196)
==20618==    by 0x5DDEAC: zend_register_functions (zend_API.c:2283)
==20618==    by 0x5DF41F: do_register_internal_class (zend_API.c:2727)
==20618==    by 0x4E4CD1: spl_register_std_class (spl_functions.c:44)
==20618==    by 0x4F06F9: zm_startup_spl_array (spl_array.c:2002)
==20618==    by 0x4E4ABD: zm_startup_spl (php_spl.c:998)
==20618==    by 0x5DD38A: zend_startup_module_ex (zend_API.c:1878)
==20618==    by 0x5DD7A8: zend_startup_module_zval (zend_API.c:1893)
==20618==    by 0x5E8E13: zend_hash_apply (zend_hash.c:1689)
==20618==    by 0x5DD692: zend_startup_modules (zend_API.c:2004)
==20618==    by 0x579502: php_module_startup (main.c:2333)
==20618==    by 0x68BB49: php_cli_startup (php_cli.c:420)
==20618==    by 0x68AB30: main (php_cli.c:1356)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601756: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601756: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601756: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601756: zend_new_interned_string_request (zend_string.c:224)
==20618==    by 0x5B1730: zval_make_interned_string (zend_compile.c:473)
==20618==    by 0x5B1730: zend_insert_literal (zend_compile.c:485)
==20618==    by 0x5B1730: zend_add_literal (zend_compile.c:505)
==20618==    by 0x5B1730: zend_emit_op (zend_compile.c:2121)
==20618==    by 0x5B9E1B: zend_compile_call (zend_compile.c:4042)
==20618==    by 0x5B4865: zend_compile_assign (zend_compile.c:2980)
==20618==    by 0x5BD0D1: zend_compile_stmt (zend_compile.c:8309)
==20618==    by 0x5C3610: zend_compile_top_stmt (zend_compile.c:8195)
==20618==    by 0x5C35F9: zend_compile_top_stmt (zend_compile.c:8190)
==20618==    by 0x59CC97: zend_compile (zend_language_scanner.l:602)
==20618==    by 0x59CB65: compile_file (zend_language_scanner.l:636)
==20618==    by 0x5D8215: zend_execute_scripts (zend.c:1562)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x601756: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x601756: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x601756: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x601756: zend_new_interned_string_request (zend_string.c:224)
==20618==    by 0x5B1730: zval_make_interned_string (zend_compile.c:473)
==20618==    by 0x5B1730: zend_insert_literal (zend_compile.c:485)
==20618==    by 0x5B1730: zend_add_literal (zend_compile.c:505)
==20618==    by 0x5B1730: zend_emit_op (zend_compile.c:2121)
==20618==    by 0x5B9E1B: zend_compile_call (zend_compile.c:4042)
==20618==    by 0x5BD0D1: zend_compile_stmt (zend_compile.c:8309)
==20618==    by 0x5C3610: zend_compile_top_stmt (zend_compile.c:8195)
==20618==    by 0x5C35F9: zend_compile_top_stmt (zend_compile.c:8190)
==20618==    by 0x59CC97: zend_compile (zend_language_scanner.l:602)
==20618==    by 0x59CB65: compile_file (zend_language_scanner.l:636)
==20618==    by 0x5D8215: zend_execute_scripts (zend.c:1562)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x6017FA: zend_string_equal_val (zend_string.c:417)
==20618==    by 0x6017FA: zend_string_equal_content (zend_string.h:310)
==20618==    by 0x6017FA: zend_interned_string_ht_lookup (zend_string.c:156)
==20618==    by 0x6017FA: zend_new_interned_string_request (zend_string.c:230)
==20618==    by 0x5B5391: zval_make_interned_string (zend_compile.c:473)
==20618==    by 0x5B5391: zend_try_compile_cv (zend_compile.c:2534)
==20618==    by 0x5B5B22: zend_compile_simple_var (zend_compile.c:2606)
==20618==    by 0x5B5B22: zend_compile_var (zend_compile.c:8450)
==20618==    by 0x5B6DA6: zend_compile_args (zend_compile.c:3211)
==20618==    by 0x5B6F2B: zend_compile_call_common (zend_compile.c:3314)
==20618==    by 0x5B9E3C: zend_compile_call (zend_compile.c:4045)
==20618==    by 0x5BD0D1: zend_compile_stmt (zend_compile.c:8309)
==20618==    by 0x5C3610: zend_compile_top_stmt (zend_compile.c:8195)
==20618==    by 0x5C35F9: zend_compile_top_stmt (zend_compile.c:8190)
==20618==    by 0x59CC97: zend_compile (zend_language_scanner.l:602)
==20618==    by 0x59CB65: compile_file (zend_language_scanner.l:636)
==20618==    by 0x5D8215: zend_execute_scripts (zend.c:1562)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 

Warning: exif_read_data(): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /tmp/test.php on line 4

Warning: exif_read_data(): Process tag(x9286=UserComment): Illegal format code 0x3030, suppose BYTE in /tmp/test.php on line 4
==20618== Invalid read of size 2
==20618==    at 0x4D24B7: exif_process_user_comment (exif.c:3018)
==20618==    by 0x4D24B7: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618==  Address 0x64593b2 is 66 bytes inside a block of size 67 alloc'd
==20618==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20618==    by 0x5AF218: __zend_malloc (zend_alloc.c:2903)
==20618==    by 0x4CEE78: exif_file_sections_add (exif.c:1989)
==20618==    by 0x4CEE78: exif_scan_JPEG_header (exif.c:3790)
==20618==    by 0x4CEE78: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CEE78: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CEE78: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x4D24BC: exif_process_user_comment (exif.c:3018)
==20618==    by 0x4D24BC: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Invalid read of size 2
==20618==    at 0x4D24C9: exif_process_user_comment (exif.c:3022)
==20618==    by 0x4D24C9: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618==  Address 0x64593b2 is 66 bytes inside a block of size 67 alloc'd
==20618==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20618==    by 0x5AF218: __zend_malloc (zend_alloc.c:2903)
==20618==    by 0x4CEE78: exif_file_sections_add (exif.c:1989)
==20618==    by 0x4CEE78: exif_scan_JPEG_header (exif.c:3790)
==20618==    by 0x4CEE78: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CEE78: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CEE78: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 
==20618== Conditional jump or move depends on uninitialised value(s)
==20618==    at 0x4D24D1: exif_process_user_comment (exif.c:3022)
==20618==    by 0x4D24D1: exif_process_IFD_TAG (exif.c:3403)
==20618==    by 0x4D13BA: exif_process_IFD_in_JPEG (exif.c:3577)
==20618==    by 0x4CF1C7: exif_process_TIFF_in_JPEG (exif.c:3666)
==20618==    by 0x4CF1C7: exif_process_APP1 (exif.c:3691)
==20618==    by 0x4CF1C7: exif_scan_JPEG_header (exif.c:3836)
==20618==    by 0x4CF1C7: exif_scan_FILE_header (exif.c:4231)
==20618==    by 0x4CF1C7: exif_read_from_impl (exif.c:4372)
==20618==    by 0x4CF1C7: exif_read_from_stream (exif.c:4389)
==20618==    by 0x4CD8B1: zif_exif_read_data (exif.c:4479)
==20618==    by 0x6626E1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==20618==    by 0x619577: execute_ex (zend_vm_execute.h:55334)
==20618==    by 0x6196CE: zend_execute (zend_vm_execute.h:60881)
==20618==    by 0x5D8243: zend_execute_scripts (zend.c:1568)
==20618==    by 0x57A5B5: php_execute_script (main.c:2630)
==20618==    by 0x68B93A: do_cli (php_cli.c:997)
==20618==    by 0x68AB90: main (php_cli.c:1389)
==20618== 

Warning: exif_read_data(): Illegal IFD offset in /tmp/test.php on line 4

Warning: exif_read_data(): File structure corrupted in /tmp/test.php on line 4

Warning: exif_read_data(): Invalid JPEG file in /tmp/test.php on line 4
==20618== 
==20618== HEAP SUMMARY:
==20618==     in use at exit: 0 bytes in 0 blocks
==20618==   total heap usage: 7,068 allocs, 7,068 frees, 1,596,251 bytes allocated
==20618== 
==20618== All heap blocks were freed -- no leaks are possible
==20618== 
==20618== For counts of detected and suppressed errors, rerun with: -v
==20618== Use --track-origins=yes to see where uninitialised values come from
==20618== ERROR SUMMARY: 173 errors from 25 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-07-08 00:20 UTC] stas@php.net

-PHP Version: 7.3.7 +PHP Version: 7.1.30 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: 2019-11042

[2019-07-08 00:20 UTC] stas@php.net

This should fix it:

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index e04290376c..7df5c019c1 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3015,11 +3015,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                        /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
                         * since we have no encoding support for the BOM yet we skip that.
                         */
-                       if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+                       if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
                                decode = "UCS-2BE";
                                szValuePtr = szValuePtr+2;
                                ByteCount -= 2;
-                       } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+                       } else if (!ByteCount >= 2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
                                decode = "UCS-2LE";
                                szValuePtr = szValuePtr+2;
                                ByteCount -= 2;

Please verify.

[2019-07-13 05:31 UTC] orestiskourides at gmail dot com

fixed, no crash, all good ;)

[2019-07-29 20:21 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-07-29 20:21 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/

Thank you for the report, and for helping us make PHP better.

[2019-07-30 07:17 UTC] cmb@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e648fa4699e8d072db6db34fcc09826e8127fab8
Log: Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC