php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #60150 Integer overflow during the parsing of invalid exif header
Submitted: 2011-10-27 16:37 UTC Modified: 2011-11-28 22:39 UTC
From: flolechaud at gmail dot com Assigned: stas
Status: Closed Package: EXIF related
PHP Version: 5.4.0beta2 OS: All 32 bits
Private report: No CVE-ID: 2011-4566
 [2011-10-27 16:37 UTC] flolechaud at gmail dot com
Description:
------------
There is an integer overflow in ext/exif/exif.c that can be used in order to 
cause a denial of service or read arbitrary memory.

The bug is only present in 32 bits version.

The function 'exif_process_IFD_TAG' do not correctly check the 'offset_val' 
value.

====
exif.c:2852:

value_ptr = offset_base+offset_val;
		if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) 
{
====

The check (offset_val + byte_count) is not safe :

(gdb) 
2852			value_ptr = offset_base+offset_val;
(gdb) 
2853			if (offset_val+byte_count > IFDlength || value_ptr < 
dir_entry) {
(gdb) 
2905		ImageInfo->sections_found |= FOUND_ANY_TAG;
(gdb) p/x offset_base 
$1 = 0x5af564
(gdb) p/x offset_val  
$2 = 0xf20008bc
(gdb) p/x value_ptr  
$3 = 0xf25afe20
(gdb) p/x offset_val     
$4 = 0xf20008bc
(gdb) p/x byte_count
$5 = 0xe000067
(gdb) p/x IFDlength 
$6 = 0x1586
(gdb) p/x offset_val+byte_count
$7 = 0x923
(gdb) p/x (int64_t)offset_val+byte_count
$8 = 0x100000923



$ CFLAGS="-m32 -g" CXXFLAGS="-m32 -g" ./configure --disable-all --enable-exif
$ CFLAGS="-m32 -g" CXXFLAGS="-m32 -g" make

$ php --version
PHP 5.4.0beta1 (cli) (built: Oct 19 2011 21:15:00) 
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2011 Zend Technologies



Test script:
---------------
florent$ cat run.php
<?php

$exif = exif_read_data($argv[1]);

?>

florent$ php run.php ./sample.jpg


Expected result:
----------------
Warning or Error without bad pointer dereference.

Actual result:
--------------
(gdb) r run.php ./Sample.jpg
Starting program: /Users/florent/Downloads/php-5.4.0beta1/sapi/cli/php run.php 
./Sample.jpg
Reading symbols for shared libraries ++........................ done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xf25afe24
0x0008ba9c in php_strnlen (str=0xf25afe24 <Address 0xf25afe24 out of bounds>, 
maxlen=234881127) at exif.c:296
296		if (str && maxlen && *str) {
(gdb) bt
#0  0x0008ba9c in php_strnlen (str=0xf25afe24 <Address 0xf25afe24 out of 
bounds>, maxlen=234881127) at exif.c:296
#1  0x0008cf04 in exif_iif_add_value (image_info=0xbfffee30, section_index=7, 
name=0xbfffe818 "DateTimeOriginal", tag=36867, format=2, length=234881127, 
value=0xf25afe24, motorola_intel=0) at exif.c:1699
#2  0x0008d284 in exif_iif_add_tag (image_info=0xbfffee30, section_index=7, 
name=0xbfffe818 "DateTimeOriginal", tag=36867, format=2, length=234881127, 
value=0xf25afe24) at exif.c:1803
#3  0x00090b56 in exif_process_IFD_TAG (ImageInfo=0xbfffee30, dir_entry=0x5af6a8 
"\003?\002", offset_base=0x5af568 "II*", IFDlength=5510, displacement=12, 
section_index=7, ReadNextIFD=1, tag_table=0x4291a0) at exif.c:3110
#4  0x00090d20 in exif_process_IFD_in_JPEG (ImageInfo=0xbfffee30, 
dir_start=0x5af66a "#", offset_base=0x5af568 "II*", IFDlength=5510, 
displacement=12, section_index=7) at exif.c:3138
#5  0x00090ae3 in exif_process_IFD_TAG (ImageInfo=0xbfffee30, dir_entry=0x5af5ea 
"i?\004", offset_base=0x5af568 "II*", IFDlength=5510, displacement=12, 
section_index=3, ReadNextIFD=1, tag_table=0x4291a0) at exif.c:3101
#6  0x00090d20 in exif_process_IFD_in_JPEG (ImageInfo=0xbfffee30, 
dir_start=0x5af570 "\f", offset_base=0x5af568 "II*", IFDlength=5510, 
displacement=12, section_index=3) at exif.c:3138
#7  0x00091032 in exif_process_TIFF_in_JPEG (ImageInfo=0xbfffee30, 
CharBuf=0x5af568 "II*", length=5510, displacement=12) at exif.c:3215
#8  0x0009114a in exif_process_APP1 (ImageInfo=0xbfffee30, CharBuf=0x5af560 
"\025?Exif", length=5518, displacement=4) at exif.c:3240
#9  0x00091792 in exif_scan_JPEG_header (ImageInfo=0xbfffee30) at exif.c:3385
#10 0x000927e4 in exif_scan_FILE_header (ImageInfo=0xbfffee30) at exif.c:3763
#11 0x000931c8 in exif_read_file (ImageInfo=0xbfffee30, FileName=0x5aa3c4 
"./Sample.jpg", read_thumbnail=0, read_all=0) at exif.c:3902
#12 0x00093412 in zif_exif_read_data (ht=1, return_value=0x5ab254, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at exif.c:3955
#13 0x00265c88 in zend_do_fcall_common_helper_SPEC (execute_data=0x592028) at 
zend_vm_execute.h:642
#14 0x0026d26b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x592028) at 
zend_vm_execute.h:2215
#15 0x00264529 in execute (op_array=0x5ac7a4) at zend_vm_execute.h:410
#16 0x00225f27 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at 
zend.c:1271
#17 0x00199f29 in php_execute_script (primary_file=0xbffffa60) at main.c:2391
#18 0x0038625c in do_cli (argc=3, argv=0xbffffc04) at php_cli.c:983
#19 0x00387837 in main (argc=3, argv=0xbffffc04) at php_cli.c:1356

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-18 05:22 UTC] stas@php.net
Could you supply the test image you were using?
 [2011-11-18 09:05 UTC] flolechaud at gmail dot com
Sample.jpg ==> http://dl.free.fr/iwbRQHm0v
 [2011-11-19 04:39 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-11-19 04:39 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2011-11-19 04:40 UTC] stas@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=319534
Log: Fix bug #60150 (Integer overflow during the parsing of invalid exif header)
 [2011-11-19 04:49 UTC] stas@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=319535
Log: fix bug #60150 for 5.3 too
 [2011-11-28 22:31 UTC] flolechaud at gmail dot com
CVE-2011-4566 assigned to this issue.
Credit: Florent HOCHWELKER
 [2011-11-28 22:39 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2011-4566
 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9b7ddf9fb0f7364bc8f71e960dcd2dcd6847ba3
Log: Fix bug #60150 (Integer overflow during the parsing of invalid exif header)
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9b7ddf9fb0f7364bc8f71e960dcd2dcd6847ba3
Log: Fix bug #60150 (Integer overflow during the parsing of invalid exif header)
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9b7ddf9fb0f7364bc8f71e960dcd2dcd6847ba3
Log: Fix bug #60150 (Integer overflow during the parsing of invalid exif header)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 19:02:26 2014 UTC