php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72094 Out of bounds heap read access in exif header processing
Submitted: 2016-04-24 08:40 UTC Modified: 2016-05-06 06:47 UTC
From: hanno at hboeck dot de Assigned: stas
Status: Closed Package: EXIF related
PHP Version: 5.5.34 OS: Linux
Private report: No CVE-ID: 2016-4542
 [2016-04-24 08:40 UTC] hanno at hboeck dot de
Description:
------------
A malformed input to the function exif_read_data() can cause an out of bounds heap memory read access. This was found with american fuzzy lop.


To test run the test script on the attached file with PHP compiled with address sanitizer (-fsanitize=address in CFLAGS) and USE_ZEND_ALLOC=0.

==29327==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000aadf at pc 0x000000e9c33d bp 0x7fff5e16fc70 sp 0x7fff5e16fc68
READ of size 1 at 0x60200000aadf thread T0
    #0 0xe9c33c in php_ifd_get32s /f/php/php-7.0.5/ext/exif/exif.c:1102:12
    #1 0xe9c33c in php_ifd_get32u /f/php/php-7.0.5/ext/exif/exif.c:1114
    #2 0xe9c33c in exif_process_TIFF_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3191
    #3 0xe9c33c in exif_process_APP1 /f/php/php-7.0.5/ext/exif/exif.c:3228
    #4 0xe9c33c in exif_scan_JPEG_header /f/php/php-7.0.5/ext/exif/exif.c:3373
    #5 0xe9c33c in exif_scan_FILE_header /f/php/php-7.0.5/ext/exif/exif.c:3755
    #6 0xe9c33c in exif_read_file /f/php/php-7.0.5/ext/exif/exif.c:3897
    #7 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #8 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2
    #9 0x18a5205 in execute_ex /f/php/php-7.0.5/Zend/zend_vm_execute.h:417:7
    #10 0x18a614b in zend_execute /f/php/php-7.0.5/Zend/zend_vm_execute.h:458:2
    #11 0x170c15d in zend_execute_scripts /f/php/php-7.0.5/Zend/zend.c:1427:4
    #12 0x14d438b in php_execute_script /f/php/php-7.0.5/main/main.c:2487:14
    #13 0x1ae9ed3 in do_cli /f/php/php-7.0.5/sapi/cli/php_cli.c:974:5
    #14 0x1ae6e64 in main /f/php/php-7.0.5/sapi/cli/php_cli.c:1344:18
    #15 0x7f7fecf1578f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #16 0x462198 in _start (/mnt/ram/php/php+0x462198)

0x60200000aadf is located 0 bytes to the right of 15-byte region [0x60200000aad0,0x60200000aadf)
allocated by thread T0 here:
    #0 0x50a008 in malloc (/mnt/ram/php/php+0x50a008)
    #1 0x1614bc2 in _emalloc /f/php/php-7.0.5/Zend/zend_alloc.c:2446:11
    #2 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #3 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2


Test script:
---------------
<?php
/* Needs specific malformed JPG file */
print_r(exif_read_data($argv[1]));



Patches

2a (last revision 2016-09-18 02:38 UTC) by 626715024 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-24 08:42 UTC] hanno at hboeck dot de
It seems to be not possible to attach files to bug reports, I'll send the sample file triggering the bug to security@php.net
 [2016-04-24 10:17 UTC] hanno at hboeck dot de
I found three further similar issues (and a smaller PoC testcase for the first one), will send them all to security@php.net

ASAN stack traces:

==32628==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bab9 at pc 0x000000ea56d4 bp 0x7fff3c949990 sp 0x7fff3c949988
READ of size 1 at 0x60c00000bab9 thread T0
    #0 0xea56d3 in php_ifd_get16u /f/php/php-7.0.5/ext/exif/exif.c:1079:11
    #1 0xea56d3 in exif_process_IFD_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3118
    #2 0xe9b0cd in exif_process_TIFF_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3203:2
    #3 0xe9b0cd in exif_process_APP1 /f/php/php-7.0.5/ext/exif/exif.c:3228
    #4 0xe9b0cd in exif_scan_JPEG_header /f/php/php-7.0.5/ext/exif/exif.c:3373
    #5 0xe9b0cd in exif_scan_FILE_header /f/php/php-7.0.5/ext/exif/exif.c:3755
    #6 0xe9b0cd in exif_read_file /f/php/php-7.0.5/ext/exif/exif.c:3897
    #7 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #8 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2
    #9 0x18a5205 in execute_ex /f/php/php-7.0.5/Zend/zend_vm_execute.h:417:7
    #10 0x18a614b in zend_execute /f/php/php-7.0.5/Zend/zend_vm_execute.h:458:2
    #11 0x170c15d in zend_execute_scripts /f/php/php-7.0.5/Zend/zend.c:1427:4
    #12 0x14d438b in php_execute_script /f/php/php-7.0.5/main/main.c:2487:14
    #13 0x1ae9ed3 in do_cli /f/php/php-7.0.5/sapi/cli/php_cli.c:974:5
    #14 0x1ae6e64 in main /f/php/php-7.0.5/sapi/cli/php_cli.c:1344:18
    #15 0x7f01f61d678f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #16 0x462198 in _start (/mnt/ram/php/php+0x462198)

0x60c00000bab9 is located 0 bytes to the right of 121-byte region [0x60c00000ba40,0x60c00000bab9)
allocated by thread T0 here:
    #0 0x50a008 in malloc (/mnt/ram/php/php+0x50a008)
    #1 0x1614bc2 in _emalloc /f/php/php-7.0.5/Zend/zend_alloc.c:2446:11
    #2 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #3 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2




==32640==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000064ffd at pc 0x000000ea573b bp 0x7ffced947670 sp 0x7ffced947668
READ of size 1 at 0x608000064ffd thread T0
    #0 0xea573a in php_ifd_get32s /f/php/php-7.0.5/ext/exif/exif.c:1102:12
    #1 0xea573a in php_ifd_get32u /f/php/php-7.0.5/ext/exif/exif.c:1114
    #2 0xea573a in exif_process_IFD_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3141
    #3 0xe9b0cd in exif_process_TIFF_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3203:2
    #4 0xe9b0cd in exif_process_APP1 /f/php/php-7.0.5/ext/exif/exif.c:3228
    #5 0xe9b0cd in exif_scan_JPEG_header /f/php/php-7.0.5/ext/exif/exif.c:3373
    #6 0xe9b0cd in exif_scan_FILE_header /f/php/php-7.0.5/ext/exif/exif.c:3755
    #7 0xe9b0cd in exif_read_file /f/php/php-7.0.5/ext/exif/exif.c:3897
    #8 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #9 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2
    #10 0x18a5205 in execute_ex /f/php/php-7.0.5/Zend/zend_vm_execute.h:417:7
    #11 0x18a614b in zend_execute /f/php/php-7.0.5/Zend/zend_vm_execute.h:458:2
    #12 0x170c15d in zend_execute_scripts /f/php/php-7.0.5/Zend/zend.c:1427:4
    #13 0x14d438b in php_execute_script /f/php/php-7.0.5/main/main.c:2487:14
    #14 0x1ae9ed3 in do_cli /f/php/php-7.0.5/sapi/cli/php_cli.c:974:5
    #15 0x1ae6e64 in main /f/php/php-7.0.5/sapi/cli/php_cli.c:1344:18
    #16 0x7f8294acd78f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #17 0x462198 in _start (/mnt/ram/php/php+0x462198)

0x608000064ffd is located 0 bytes to the right of 93-byte region [0x608000064fa0,0x608000064ffd)
allocated by thread T0 here:
    #0 0x50a008 in malloc (/mnt/ram/php/php+0x50a008)
    #1 0x1614bc2 in _emalloc /f/php/php-7.0.5/Zend/zend_alloc.c:2446:11
    #2 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #3 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2




==32653==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bab9 at pc 0x0000004ac0cc bp 0x7ffd919101d0 sp 0x7ffd9190f980
READ of size 7 at 0x60c00000bab9 thread T0
    #0 0x4ac0cb in __interceptor_strlen (/mnt/ram/php/php+0x4ac0cb)
    #1 0x14e79af in xbuf_format_converter /f/php/php-7.0.5/main/spprintf.c:609:16
    #2 0x14edc17 in vspprintf /f/php/php-7.0.5/main/spprintf.c:847:2
    #3 0x14edc17 in spprintf /f/php/php-7.0.5/main/spprintf.c:871
    #4 0xea7ea8 in exif_process_IFD_TAG /f/php/php-7.0.5/ext/exif/exif.c:2949:7
    #5 0xea4e69 in exif_process_IFD_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3126:8
    #6 0xe9b0cd in exif_process_TIFF_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3203:2
    #7 0xe9b0cd in exif_process_APP1 /f/php/php-7.0.5/ext/exif/exif.c:3228
    #8 0xe9b0cd in exif_scan_JPEG_header /f/php/php-7.0.5/ext/exif/exif.c:3373
    #9 0xe9b0cd in exif_scan_FILE_header /f/php/php-7.0.5/ext/exif/exif.c:3755
    #10 0xe9b0cd in exif_read_file /f/php/php-7.0.5/ext/exif/exif.c:3897
    #11 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #12 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2
    #13 0x18a5205 in execute_ex /f/php/php-7.0.5/Zend/zend_vm_execute.h:417:7
    #14 0x18a614b in zend_execute /f/php/php-7.0.5/Zend/zend_vm_execute.h:458:2
    #15 0x170c15d in zend_execute_scripts /f/php/php-7.0.5/Zend/zend.c:1427:4
    #16 0x14d438b in php_execute_script /f/php/php-7.0.5/main/main.c:2487:14
    #17 0x1ae9ed3 in do_cli /f/php/php-7.0.5/sapi/cli/php_cli.c:974:5
    #18 0x1ae6e64 in main /f/php/php-7.0.5/sapi/cli/php_cli.c:1344:18
    #19 0x7f88edb1078f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #20 0x462198 in _start (/mnt/ram/php/php+0x462198)

0x60c00000bab9 is located 0 bytes to the right of 121-byte region [0x60c00000ba40,0x60c00000bab9)
allocated by thread T0 here:
    #0 0x50a008 in malloc (/mnt/ram/php/php+0x50a008)
    #1 0x1614bc2 in _emalloc /f/php/php-7.0.5/Zend/zend_alloc.c:2446:11
    #2 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8
    #3 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2
 [2016-04-25 02:35 UTC] stas@php.net
-PHP Version: 7.0.5 +PHP Version: 5.5.34 -Assigned To: +Assigned To: stas
 [2016-04-25 02:35 UTC] stas@php.net
Fixed in security repo as 082aecfc3a753ad03be82cf14f03ac065723ec92 and in gist: https://gist.github.com/452c5cf433f1bdeb66d6b28bae17b7ac

Please verify.
 [2016-04-25 12:21 UTC] hanno at hboeck dot de
I can confirm that php 7.0.5 + the gist patch fixes all bugs.
 [2016-04-27 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-04-27 05:57 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-04-27 06:49 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=082aecfc3a753ad03be82cf14f03ac065723ec92
Log: Fix bug #72094 - Out of bounds heap read access in exif header processing
 [2016-04-27 10:31 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=082aecfc3a753ad03be82cf14f03ac065723ec92
Log: Fix bug #72094 - Out of bounds heap read access in exif header processing
 [2016-04-27 11:00 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1366c0362f1fa85e82bde9c0b393bd3bb3d32892
Log: Fix bug #72094 - Out of bounds heap read access in exif header processing
 [2016-05-06 06:47 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4542
 [2016-05-06 06:47 UTC] remi@php.net
Use CVE-2016-4542 for the issue associated with the spprintf call.

Use CVE-2016-4543 for both issues in which "Illegal IFD size" validation was added.

Use CVE-2016-4544 for the issue in which "Invalid TIFF start" validation was added.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 01:01:37 2017 UTC