php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66147 exif_read_data causes segmentation fault on some JPEG files with EXIF
Submitted: 2013-11-22 14:35 UTC Modified: 2016-08-28 04:22 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:3 (75.0%)
From: stephon at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: EXIF related
PHP Version: 5.6.8 OS: FreeBSD 9.2-Release,Windows 7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-11-22 14:35 UTC] stephon at gmail dot com
Description:
------------
Hello all,

We have found that some kind of JPEG files using exif_read_data causes segmentation fault, like the image below:
http://people.cs.nctu.edu.tw/~chenbc/php-mbstring-coredump.jpg

Our test environment has PHP exif and mbstring extensions enabled.
When only exif extension enabled, the scripts works fine.
but it cause segmentation fault while both exif and mbstring extension enabled.

Here are GDB trace results:
> gdb /usr/local/bin/php
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)...
(gdb) run test2.php
Starting program: /usr/local/bin/php test2.php
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[New LWP 100417]
(no debugging symbols found)...(no debugging symbols found)...[New Thread 1002407400 (LWP 100417/php)]
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1002407400 (LWP 100417/php)]
0x0000001003276b9d in mbfl_buffer_converter_new2 () from /usr/local/lib/php/20100525/mbstring.so

But in our environment, mbstring is needed for other programs use.
Is there any way to keep both exif and mbstring enabled, or how to skip errors while exif_read_data causes problems?

Thanks a lot

Test script:
---------------
#!/usr/local/bin/php

<?php
$file = 'php-mbstring-coredump.jpg';
$array = exif_read_data($file);
print_r($array);
exit;

Expected result:
----------------
Array
(
    [FileName] => test2.jpg
    [FileDateTime] => 1385117776
    [FileSize] => 23155
    [FileType] => 2
    [MimeType] => image/jpeg
    [SectionsFound] => ANY_TAG, IFD0, EXIF, INTEROP
    [COMPUTED] => Array
        (
            [html] => width="240" height="320"
            [Height] => 320
            [Width] => 240
            [IsColor] => 1
            [ByteOrderMotorola] => 1
            [ExposureTime] => 0.500 s (1/2)
            [Copyright] => stephonhaha
        )

    [ImageDescription] => 20090918164650
    [Make] => DoCoMo
    [Model] => L704i
    [Orientation] => 1
    [XResolution] => 72/1
    [YResolution] => 72/1
    [ResolutionUnit] => 2
    [DateTime] => 2009:09:18 17:36:57
    [YCbCrPositioning] => 1
    [Copyright] => stephonhaha
    [Exif_IFD_Pointer] => 224
    [ExifVersion] => 0220
    [DateTimeOriginal] => 2009:09:18 16:48:42
    [DateTimeDigitized] => 2009:09:18 17:36:57
    [ComponentsConfiguration] =>
    [ShutterSpeedValue] => 1/1
    [Flash] => 1
    [FocalLength] => 1/1
    [MakerNote] =>
    [UserComment] => JISP2009_0918_164842
    [FlashPixVersion] => 0100
    [ColorSpace] => 1
    [ExifImageWidth] => 240
    [ExifImageLength] => 320
    [InteroperabilityOffset] => 498
    [InterOperabilityIndex] => R98
    [InterOperabilityVersion] => 0100
)

Actual result:
--------------
Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-03 17:43 UTC] cmb@php.net
-Status: Open +Status: Verified -Operating System: FreeBSD 9.2-Release +Operating System: FreeBSD 9.2-Release,Windows 7 -PHP Version: 5.4.22 +PHP Version: 5.6.8
 [2016-03-15 14:11 UTC] brandon at invisionpower dot com
We have encountered what I believe to be the same bug, although as I'm not 100% certain I just wanted to add my findings.

Our reproducible test case can be found here: http://bfarber.invisionzone.com/exif.zip

The zip contains an image that fails, as well as a small PHP script doing the following:

<?php

var_dump( exif_read_data( '50v.jpg', NULL, TRUE ) );

MBString is required in our software environment, so disabling it is not an option, but I did test and have confirmed that disabling mbstring allows exif_read_data to work normally.

I have duplicated this issue on CentOS, Amazon hosting and on Windows 7 using WAMP.  I have duplicated the issue with PHP 5.6.17 and 5.5.12.
 [2016-08-20 16:15 UTC] cmb@php.net
-Status: Verified +Status: Feedback -Package: mbstring related +Package: EXIF related -Assigned To: +Assigned To: cmb
 [2016-08-20 16:15 UTC] cmb@php.net
This ticket appears to be a duplicate of bug #72618. At least I
can reproduce the segfaults with PHP 5.6.23, but not with 5.6.24.

So please try with PHP 5.6.24 or newer.
 [2016-08-28 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC