PHP :: Bug #78333 :: Exif crash (bus error) due to wrong alignment and invalid cast

Bug #78333	Exif crash (bus error) due to wrong alignment and invalid cast
Submitted:	2019-07-24 21:36 UTC	Modified:	-
From:	rainer dot jung at kippdata dot de	Assigned:
Status:	Closed	Package:	EXIF related
PHP Version:	7.4.0alpha3	OS:	Solaris 10 Sparc
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	rainer dot jung at kippdata dot de
New email:
PHP Version:		OS:

New Comment:

[2019-07-24 21:36 UTC] rainer dot jung at kippdata dot de

Description:
------------
PHP Version: 7.4.0beta1 (not available in version dropdown)

Crash during execution of the test ext/exif/tests/bug77831.php.

Crash happens as Bus Error due to dereferencing a 2 byte aligned address for a float. Sparc is sensitive to wrong alignments.

Stack:

(gdb) bt full
#0  0xfdb659ec in exif_iif_add_value (image_info=0xffbfc728, section_index=3, name=<optimized out>, tag=<optimized out>, format=11, length=1, value=<optimized out>,
    value_len=<optimized out>, motorola_intel=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2165
        idex = 0
        vptr = 0xfe6561da
        vptr_end = 0xfe6561de
        info_value = 0xfe656208
        info_data = 0xfe6561f8
        list = <optimized out>
#1  0xfdb66b3c in exif_iif_add_tag (value_len=4, value=0xfe6561da, length=4, format=<optimized out>, tag=8224, name=<optimized out>, section_index=3, image_info=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2186
No locals.
#2  exif_process_IFD_TAG (ImageInfo=0xffbfc728, dir_entry=<optimized out>, offset_base=<optimized out>, IFDlength=<optimized out>, displacement=<optimized out>,
    section_index=3, ReadNextIFD=<optimized out>, tag_table=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3486
        length = 38
        tag = 8224
        format = <optimized out>
        components = 4
        value_ptr = 0xfe6561da "    "
        tagname = "UndefinedTag:0x2020", '\000' <repeats 17 times>, "▒\004\024\070▒\210\220▒g\200\061\000\000\000\000\000\000\000 \000\000\000\004\000\000\000\003"
        cbuf = "*\000\000\000\f    \000\002    \000\000\000 \000\000\000\003  \000\v\000\000\000\001 "
        outside = 0x0
        byte_count = 4
        offset_val = <optimized out>
        fpos = <optimized out>
        fgot = <optimized out>
        tmp_xp = <optimized out>
#3  0xfdb663a0 in exif_process_IFD_in_JPEG (ImageInfo=0xffbfc728, dir_start=0xfe6561c4 "", offset_base=0xfe6561b8 "MM", IFDlength=38, displacement=11, section_index=3,
    tag=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2885
        de = 1
        NumDirEntries = 2
        NextDirOffset = 0
#4  0xfdb68958 in exif_process_TIFF_in_JPEG (displacement=<optimized out>, length=38, CharBuf=0xfe6561b8 "MM", ImageInfo=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3608
        exif_value_2a = 42
        offset_of_ifd = <optimized out>
#5  exif_process_APP1 (displacement=<optimized out>, length=46, CharBuf=0xfe6561b0 "", ImageInfo=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3633
        ExifHeader = "Exif\000"
#6  exif_scan_JPEG_header (ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3778
        comment_correction = 1
        ll = <optimized out>
        size = <optimized out>
        Data = 0xfe6561b0 ""
        fpos = <optimized out>
        got = <optimized out>
        itemlen = 46
        sn = <optimized out>
        marker = 225
        last_marker = <optimized out>
        lh = <optimized out>
#7  exif_scan_FILE_header (ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4173
        file_header = "▒ؾ\"\017▒-\230"
        ret = 0
#8  exif_read_from_impl (read_all=0, read_thumbnail=<optimized out>, stream=0xfe668200, ImageInfo=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4314
        st = {st_dev = 22282550, st_pad1 = {0, 0, 0}, st_ino = 37266735, st_mode = 33188, st_nlink = 1, st_uid = 1200, st_gid = 1200, st_rdev = 0, st_pad2 = {0, 0},
          st_size = 49, st_pad3 = 0, st_atim = {tv_sec = 1563992732, tv_nsec = 821345000}, st_mtim = {tv_sec = 1563869118, tv_nsec = 0}, st_ctim = {tv_sec = 1563992732,
            tv_nsec = 821810000}, st_blksize = 8192, st_blocks = 2, st_fstype = "lofs", '\000' <repeats 11 times>, st_pad4 = {0, 0, 0, 0, 0, 0, 0, 0}}
#9  exif_read_from_stream (ImageInfo=0xffbfc728, stream=0xfe668200, read_thumbnail=<optimized out>, read_all=0)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4331
        ret = <optimized out>
        old_pos = 0
#10 0xfdb68e10 in exif_read_from_file (ImageInfo=0xffbfc728, FileName=0xfe65b5c0 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.tiff",
    read_thumbnail=0, read_all=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4358
        ret = <optimized out>
        stream = 0xfe668200
#11 0xfdb692f4 in zif_exif_read_data (execute_data=0xfe6140a0, return_value=0xfe614040) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4433
        z_sections_needed = 0x0
        sub_arrays = 0 '\000'
        read_thumbnail = 0 '\000'
        stream = 0xfe6140d0
        i = <optimized out>
        ret = <optimized out>
        sections_needed = 0
        ImageInfo = {infile = 0xfe668200, FileName = 0xfe677040 "bug77831.tiff", FileDateTime = 1563869118, FileSize = 49, FileType = IMAGE_FILETYPE_JPEG, Height = 0,
          Width = 0, IsColor = 0, make = 0x0, model = 0x0, ApertureFNumber = 0, ExposureTime = 0, FocalplaneUnits = 0, CCDWidth = 0, FocalplaneXRes = 0, ExifImageWidth = 0,
          FocalLength = 0, Distance = 0, motorola_intel = 1, UserComment = 0x0, UserCommentLength = 0, UserCommentEncoding = 0x0, encode_unicode = 0xfe677050 "ISO-8859-15",
          decode_unicode_be = 0xfe602010 "UCS-2BE", decode_unicode_le = 0xfe602018 "UCS-2LE", encode_jis = 0xfe602020 "", decode_jis_be = 0xfe602028 "JIS",
          decode_jis_le = 0xfe602030 "JIS", Copyright = 0x0, CopyrightPhotographer = 0x0, CopyrightEditor = 0x0, xp_fields = {count = 0, list = 0x0}, Thumbnail = {
            filetype = IMAGE_FILETYPE_UNKNOWN, width = 0, height = 0, size = 0, offset = 0, data = 0x0}, sections_found = 12, info_list = {{count = 0, list = 0x0}, {count = 0,
              list = 0x0}, {count = 0, list = 0x0}, {count = 1, list = 0xfe6561e0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0,
              list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0,
              list = 0x0}}, read_thumbnail = 0, read_all = 0, ifd_nesting_level = 2, file = {count = 1, list = 0xfe677060}}
        tmp = "\000\000\000\005\000\000\000\000\000\000\002\002▒?B▒\000\001\000\000\000\000\000\000\000\000\000\000▒\v\022|\000\000\000\002▒▒▒H\000\000\000\000▒gP▒▒\v=\f▒▒▒l▒▒ǰ▒▒\206$"
        sections_str = 0x0
        s = <optimized out>
#12 0xfeeb28e8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (execute_data=0xfe614010) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:1319
        opline = 0xfe65c214
        call = 0xfe6140a0
        fbc = <optimized out>
        ret = <optimized out>
#13 0xfeeb0c58 in execute_ex (ex=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:53103
        ret = <optimized out>
        execute_data = 0xfe614010
#14 0xfef0aa28 in zend_execute (op_array=0xfe6750a0, return_value=0x0) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:57388
        execute_data = 0xfe614010
        object_or_called_scope = <optimized out>
        call_info = <optimized out>
#15 0xfee6953c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend.c:1663
        files = 0xffbfca40
        i = 1
        file_handle = 0xffbfd094
        op_array = 0xfe6750a0
#16 0xfedfdeb0 in php_execute_script (primary_file=0xffbfd094) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/main/main.c:2633
        realfile = "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php\000\214\000\000\000\005▒▒▒\000\000\000]▒\004\023▒▒e`\000\000\000\000$-
▒▒\234▒\000\000\000\000\000\000\000\001\000\000\000\001▒9\017\220▒▒WR▒?\f▒▒?s▒\n▒*\t\000\000\005(\000\000\000\000\000\000\000\000▒?\f▒▒?s▒", '\000' <repeats 32 times>...
        __orig_bailout = <optimized out>
        __bailout = {2, -4208152, -18883256, -4206776, 83200, 0, 0, 0, 0, 0, 0, 0, 232296, -16390196, 152, 600, -12582912, 8388608, 0}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0,
          type = ZEND_HANDLE_FILENAME, buf = 0x0, len = 0}
        append_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0,
          type = ZEND_HANDLE_FILENAME, buf = 0x0, len = 0}
        old_cwd_fd = -1
        retval = 0
#17 0x00014508 in do_cli (argc=<optimized out>, argv=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/sapi/cli/php_cli.c:963
        __orig_bailout = <optimized out>
        __bailout = {2, -4206776, 78836, -4205208, 123884, 0, 101795963, 1949, -13034128, 1026, 9, -13037680, -24543363, -13037680, -12618832, 171156496, -12582912, 8388608, 0}
        c = <optimized out>
        file_handle = {handle = {fp = 0xfe9b554c <_iob+48>, stream = {handle = 0xfe9b554c <_iob+48>, isatty = 0, reader = 0xfee86840 <zend_stream_stdio_reader>,
              fsizer = 0xfee86910 <zend_stream_stdio_fsizer>, closer = 0xfee867f4 <zend_stream_stdio_closer>}},
          filename = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php", opened_path = 0x0, type = ZEND_HANDLE_STREAM,
          buf = 0xfe65b460 "▒e▒@p\nvar_dump(exif_read_data(__DIR__.\"/bug77831.tiff\"));\n?>\nDONE\n", len = 66}
        behavior = <optimized out>
        reflection_what = <optimized out>
        request_started = 1
        exit_status = 0
        php_optarg = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php"
        php_optind = 152
        exec_direct = <optimized out>
        exec_run = <optimized out>
        exec_begin = <optimized out>
        exec_end = <optimized out>
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = 0x2084a0 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php"
        interactive = <optimized out>
        param_error = <optimized out>
        hide_argv = <optimized out>
#18 0x0001e3f4 in main (argc=<optimized out>, argv=0x3ecf8) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/sapi/cli/php_cli.c:1353
        __orig_bailout = 0x0
        __bailout = {2, -4205208, 123328, -4204984, 76588, 0, 0, 0, 0, 0, 0, 3, -4204884, 4, -4204272, 5, -12582912, 8388608, 0}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php"
        php_optind = 152
        use_extended_info = 0
        ini_path_override = 0x3fd78 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/tmp-php.ini"
        ini_entries = 0x40578 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\noutput_handler=\nopen_basedir=\ndisable_functions=\noutput_buffering=Off\nerror_reporting=3276"...
        ini_entries_len = 1582
        ini_ignore = 1


The relevant code line is

2165                                                 info_value->f = *(float *)value;

and value points at address 0xfe6561da. This adress is only 2-byte aligned and can not be dereferenced as a float.

Regards,
Rainer

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-07-28 18:52 UTC] rainer dot jung at kippdata dot de

I should say, that the problem is not new to 7.4. I t goes back at least to 7.2, probably even older.

[2019-07-29 09:26 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d142dfc93d71bb387c19a06f77c265e89fc9d516
Log: Fixed bug #78333

[2019-07-29 09:26 UTC] nikic@php.net

-Status: Open +Status: Closed

[2019-07-29 09:28 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68fd435ba81e0208d30218b0558cccbf76b85e49
Log: Fixed bug #78333

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC