php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68547 PHP 5.6.2 Exif Header component value check error
Submitted: 2014-12-04 23:34 UTC Modified: 2016-08-05 08:03 UTC
From: sjh21a at gmail dot com Assigned: kalle (profile)
Status: Closed Package: EXIF related
PHP Version: 5.6.3 OS: Ubuntu 14.04
Private report: No CVE-ID: None
 [2014-12-04 23:34 UTC] sjh21a at gmail dot com
Description:
------------
PHP 5.6.2 Exif Header component value check error

this bug is exif_process_IFD_TAG() function of ext/exif.c

in exif header, get a components value as follows

2818: components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);

dir_entry+4 exists in jpg or tiff files, attacker can modify this all.

look at the below code, a wrong check to components value.

2827: if (components < 0) {
2828:	exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
2829:	return FALSE;
2830: }

only check to components value is negative, doesn't check to 0 value

if components value was 0, problem occurs in the below code.

2832: byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];

above calculation result are being 0, this can bypass to below code.

2833: if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {
2834: 	exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
2835:	return FALSE;
2836: }

effect: an attacker may be free to any memory area, if do not use to zend_mm, use after free has occurred.

set the memory to be free from jpg file.

enable zend_mm
	root@ubuntu:~/x# php x.php crash.jpg ; gdb -q php core
	Segmentation fault (core dumped)
	Reading symbols from php...done.
	[New LWP 9998]
	[Thread debugging using libthread_db enabled]
	Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
	Core was generated by `php x.php crash.jpg'.
	Program terminated with signal SIGSEGV, Segmentation fault.
	#0  _zend_mm_free_int (heap=0x887ea38, p=0x41414141) at /root/php-5.6.2/Zend/zend_alloc.c:2076
	                                       ^^^^^^^^^^^^^
	2076		size = ZEND_MM_BLOCK_SIZE(mm_block);
	(gdb) 

disable zend_mm : # export USE_ZEND_ALLOC=0
	root@ubuntu:~/x# php x.php crash.jpg ; gdb -q php core
	Segmentation fault (core dumped)
	Reading symbols from php...done.
	[New LWP 10016]
	[Thread debugging using libthread_db enabled]
	Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
	Core was generated by `php x.php crash.jpg'.
	Program terminated with signal SIGSEGV, Segmentation fault.
	#0  __GI___libc_free (mem=0x41414141) at malloc.c:2929
						  ^^^^^^^^^^^^^^
	2929	malloc.c: No such file or directory.
	(gdb) 

Test script:
---------------
root@ubuntu:~/x# cat x.php
<?
	error_reporting(0);

	exif_read_data($argv[1]);
	exif_thumbnail($argv[1]);

?>

and below link is crash image file

https://www.dropbox.com/s/hius8be0r9h8hk0/trig.jpg?dl=0




Patches

exif.c_line_2827 (last revision 2014-12-05 08:37 UTC) by sjh21a at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-04 23:36 UTC] sjh21a at gmail dot com
i found this bug on php-5.6.2
but still work 5.6.3
 [2016-08-05 08:03 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1740823864fe22f469642c68c5bf389d1a30f43c
Log: Fixed bug #68547 (Exif Header component value check error) (Patch by sjh21a at gmail dot com)
 [2016-08-05 08:03 UTC] kalle@php.net
-Status: Open +Status: Closed
 [2016-08-05 08:03 UTC] kalle@php.net
-Assigned To: +Assigned To: kalle
 [2016-08-05 08:03 UTC] kalle@php.net
Fixed for PHP 7.2
 [2016-10-10 11:17 UTC] krakjoe@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1740823864fe22f469642c68c5bf389d1a30f43c
Log: Fixed bug #68547 (Exif Header component value check error) (Patch by sjh21a at gmail dot com)
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1740823864fe22f469642c68c5bf389d1a30f43c
Log: Fixed bug #68547 (Exif Header component value check error) (Patch by sjh21a at gmail dot com)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC