|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54002 crash on crafted tag
Submitted: 2011-02-12 21:31 UTC Modified: 2019-09-30 16:03 UTC
From: Assigned: pajoye (profile)
Status: Closed Package: EXIF related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: 2011-0708
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2011-02-12 21:31 UTC]
PHP Exif 64bit Casting Vulnerability

Affected Software : PHP <= 5.3.5 (Exif extension for 64bit platforms)
Severity          : Low
Local/Remote      : Remote
Author            : @_ikki, @paradoxengine (


PHP Exif extension allows developers to work with image metadata
within their PHP code. For instance, using exif functions it is possible
to read metadata from digital camera pictures.
For further details on this file format, please refer to:

PHP Exif extension for 64bit platforms is affected by a casting
vulnerability that occurs during the image header parsing.
According to our preliminary analysis, exploitation of this flaw results
in Denial of Service.

This vulnerability affects PHP 5.3.5 and likely all previous versions.
During our analysis, we have successfully tested our PoC against PHP
5.3.2, PHP 5.3.3 and the latest PHP release 5.3.5.

Using the following configuration, a system is most likely vulnerable:
 (a) PHP 64bit version
 (b) PHP compiled with --enable-exif
 (c) memory_limit = -1

[Vulnerability Details]

In case of 64bit platforms, an improper conversion occurs within
"/php-5.3.5/ext/exif/exif.c" at line 1100 (php_ifd_get32s) and 1118

In detail, an image having properly crafted Image File Directory (IFD)
can be used to trigger a segmentation fault caused by a memory access

$ gdb ./sapi/cli/php
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run  -c /etc/php5/cli/php.ini ../exif.php ../ihaterepeating2.jpeg
program: /archive/stuff/vulnsResearch/php_exif/php-5.3.5/sapi/cli/php
-c /etc/php5/cli/php.ini ../exif.php ../ihaterepeating2.jpeg
[Thread debugging using libthread_db enabled]

 --- start ../ihaterepeating2.jpeg ---

[New Thread 0x7ff7d45a26e0 (LWP 10941)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ff7d45a26e0 (LWP 10941)]
0x000000000055e297 in php_ifd_get32s (value=0x2055000, motorola_intel=0)
at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1108
1108                return  (((char  *)value)[3] << 24)

(gdb) backtrace
#0  0x000000000055e297 in php_ifd_get32s (value=0x2055000,
at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1108
#1  0x000000000055e2f9 in php_ifd_get32u (value=0x2055000,
at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1120
#2  0x000000000055f37e in exif_iif_add_value
section_index=13, name=0x7fff68f4d920 "UndefinedTag:0x0205", tag=517,
   length=536870913, value=0x2017124, motorola_intel=0) at
#3  0x000000000055f4d1 in exif_iif_add_tag (image_info=0x7fff68f4e0d0,
section_index=13, name=0x7fff68f4d920 "UndefinedTag:0x0205", tag=517,
   length=536870913, value=0x2017124) at
#4  0x00000000005625a8 in exif_process_IFD_TAG
dir_entry=0x20170e8 "\005\002\005", offset_base=0x2016da0 "II*",
displacement=12, section_index=13, ReadNextIFD=0, tag_table=0x949740)
at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:3115

Within the PoC image, bytes in position 358-35B can be used to craft
the value of the 'components' variable (int) which is later used within
memory read operations.

Two cases appear to be interesting:

{Case A - Negative value}
$hexdump -C ihaterepeating.jpeg | grep -i "03 00 00 A0"
results in "components=-1610612733"

{Case B - Positive value}
$hexdump -C ihaterepeating2.jpeg | grep -i "01 00 00 20"
results in "components=536870913"
Please note that 0x20 = 32dec

As mentioned, the value of the 'components' variable is later computed
in memory operations within another variable named 'length'.
Such value is used in a for-loop instruction (line 1745) to read image
metadata starting from a memory address.

Although it is possible to control the offset, the following
instructions (line 1671) limit such value to positive integers only.

 <-- cut here -->
if (length < 0) {
 <-- cut here -->

Consequently it seems possible to oversize the expected value only,
which results in a memory access violation.


Two images (case A and B) have been properly crafted: (SegFault)


Test script:
echo" --- start ---\n\n";
echo" --- end ---\n\n";


exif_crafted_tag_fix (last revision 2011-02-12 21:54 UTC by
patch_fix_1 (last revision 2011-02-12 21:06 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-12 22:06 UTC]
The following patch has been added/updated:

Patch Name: patch_fix_1
Revision:   1297544763
 [2011-02-12 22:54 UTC]
The following patch has been added/updated:

Patch Name: exif_crafted_tag_fix
Revision:   1297547647
 [2011-02-14 10:57 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: pajoye
 [2011-02-14 10:57 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2011-02-16 12:38 UTC]
-CVE-ID: +CVE-ID: 2011-0708
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Mar 04 02:01:29 2024 UTC