php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72618 NULL Pointer Dereference in exif_process_user_comment
Submitted: 2016-07-19 03:11 UTC Modified: 2016-07-25 15:19 UTC
From: nguyenvuhoang199321 at gmail dot com Assigned: stas
Status: Closed Package: EXIF related
PHP Version: 5.5.37 OS: *Nix
Private report: No CVE-ID: 2016-6292
 [2016-07-19 03:11 UTC] nguyenvuhoang199321 at gmail dot com
Description:
------------
There is a bug occur in exif_process_user_comment when trying to encode JIS string.
```
else if (!memcmp(szValuePtr, "JIS\0\0\0\0\0", 8)) {
			/* JIS should be tanslated to MB or we leave it to the user - leave it to the user */
			*pszEncoding = estrdup((const char*)szValuePtr);
			szValuePtr = szValuePtr+8;
			ByteCount -= 8;
			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
			if (zend_multibyte_encoding_converter(
					(unsigned char**)pszInfoPtr,
					&len,
					(unsigned char*)szValuePtr,
					ByteCount,
					zend_multibyte_fetch_encoding(ImageInfo->encode_jis),
					zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le)
					) == (size_t)-1) {
				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
			}
			return len;
```
As you can see at function call zend_multibyte_fetch_encoding(ImageInfo->encode_jis). At PHP_INI_BEGIN encode_jis was set at empty string so that the result of this call above return NULL and then pass to zend_multibyte_encoding_converter. If this php version is compiled with *mbstring*, this NULL pointer is passed to mbfl_buffer_converter_new2 through *to* pointer.
```
mbfl_buffer_converter_new2(
	const mbfl_encoding *from,
	const mbfl_encoding *to,
    int buf_initsz)
{
    ******SNIP********
	/* initialize */
	convd->from = from;
	convd->to = to;
	/* create convert filter */
	convd->filter1 = NULL;
	convd->filter2 = NULL;
	if (mbfl_convert_filter_get_vtbl(convd->from->no_encoding, convd->to->no_encoding) != NULL) {
    ******SNIP********
```

Because of none checking 2 pointers *from* and *to* so NULL pointer is passed directly to convd->to and result is the crash when calling mbfl_convert_filter_get_vtbl.

Here crash jpeg file : https://drive.google.com/file/d/0B0D1DYQpkA9URnRROVdLdG5jdFE/view?usp=sharing

This bug also works on Mac OS X and Windows.

Test script:
---------------
<?php
	$exif = exif_read_data('null.jpg');
	var_dump($exif);
?>

Expected result:
----------------
~/Sources_Ext/audit ยป ./php exif.php
[1]    19270 segmentation fault (core dumped)  ./php exif.php

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x1234de0 --> 0x2e ('.')
RCX: 0xd ('\r')
RDX: 0x0
RSI: 0x7ffff3e585a0 --> 0x0
RDI: 0x7ffff3e00040 --> 0x0
RBP: 0x7fffffffa760 --> 0x7fffffffa7f0 --> 0x7fffffffa830 --> 0x7fffffffa8a0 --> 0x7fffffffa9d0 --> 0x7fffffffaa30 --> 0x7fffffffab60 --> 0x7fffffffabc0 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffacd0 --> 0x7fffffffad10 --> 0x7fffffffadf0 --> 0x7fffffffb0d0 --> 0x7fffffffb100 --> 0x7fffffffb130 --> 0x7fffffffb170 --> 0x7fffffffb280 --> 0x7fffffffd580 --> 0x7fffffffe900 --> 0x7fffffffea50 --> 0xa15f90 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffa730 --> 0x7ffff3e70168 --> 0x7fff0053494a
RIP: 0x6af72d (<mbfl_buffer_converter_new2+115>:	mov    edx,DWORD PTR [rax])
R8 : 0x276
R9 : 0x0
R10: 0x9 ('\t')
R11: 0x7ffff67e2730 --> 0xfffda400fffda12f
R12: 0x42c170 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffeb30 --> 0x2
R14: 0x7ffff3e14030 --> 0x7ffff3e5fb80 --> 0x9a28f2 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
R15: 0x7ffff3e5fb80 --> 0x9a28f2 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x6af71d <mbfl_buffer_converter_new2+99>:	mov    QWORD PTR [rax+0x8],0x0
   0x6af725 <mbfl_buffer_converter_new2+107>:	mov    rax,QWORD PTR [rbp-0x8]
   0x6af729 <mbfl_buffer_converter_new2+111>:	mov    rax,QWORD PTR [rax+0x30]
=> 0x6af72d <mbfl_buffer_converter_new2+115>:	mov    edx,DWORD PTR [rax]
   0x6af72f <mbfl_buffer_converter_new2+117>:	mov    rax,QWORD PTR [rbp-0x8]
   0x6af733 <mbfl_buffer_converter_new2+121>:	mov    rax,QWORD PTR [rax+0x28]
   0x6af737 <mbfl_buffer_converter_new2+125>:	mov    eax,DWORD PTR [rax]
   0x6af739 <mbfl_buffer_converter_new2+127>:	mov    esi,edx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa730 --> 0x7ffff3e70168 --> 0x7fff0053494a
0008| 0x7fffffffa738 --> 0xa0f3e00040
0016| 0x7fffffffa740 --> 0x0
0024| 0x7fffffffa748 --> 0x1234de0 --> 0x2e ('.')
0032| 0x7fffffffa750 --> 0x70168
0040| 0x7fffffffa758 --> 0x7ffff3e585a0 --> 0x0
0048| 0x7fffffffa760 --> 0x7fffffffa7f0 --> 0x7fffffffa830 --> 0x7fffffffa8a0 --> 0x7fffffffa9d0 --> 0x7fffffffaa30 --> 0x7fffffffab60 --> 0x7fffffffabc0 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffacd0 --> 0x7fffffffad10 --> 0x7fffffffadf0 --> 0x7fffffffb0d0 --> 0x7fffffffb100 --> 0x7fffffffb130 --> 0x7fffffffb170 --> 0x7fffffffb280 --> 0x7fffffffd580 --> 0x7fffffffe900 --> 0x7fffffffea50 --> 0xa15f90 (<__libc_csu_init>:	push   r15)
0056| 0x7fffffffa768 --> 0x6b8e38 (<php_mb_zend_encoding_converter+128>:	mov    QWORD PTR [rbp-0x48],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000006af72d in mbfl_buffer_converter_new2 (from=0x1234de0 <mbfl_encoding_jis>,
    to=0x0, buf_initsz=0xa0)
    at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/mbstring/libmbfl/mbfl/mbfilter.c:158
158		if (mbfl_convert_filter_get_vtbl(convd->from->no_encoding, convd->to->no_encoding) != NULL) {
gdb-peda$ bt
#0  0x00000000006af72d in mbfl_buffer_converter_new2 (
    from=0x1234de0 <mbfl_encoding_jis>, to=0x0, buf_initsz=0xa0)
    at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/mbstring/libmbfl/mbfl/mbfilter.c:158
#1  0x00000000006b8e38 in php_mb_zend_encoding_converter (to=0x7fffffffaec8,
    to_length=0x7fffffffa878, from=0x7ffff3e71388 'A' <repeats 160 times>,
    from_length=0xa0, encoding_to=0x0, encoding_from=0x1234de0 <mbfl_encoding_jis>)
    at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/mbstring/mbstring.c:935
#2  0x0000000000969647 in zend_multibyte_encoding_converter (to=0x7fffffffaec8,
    to_length=0x7fffffffa878, from=0x7ffff3e71388 'A' <repeats 160 times>,
    from_length=0xa0, encoding_to=0x0, encoding_from=0x1234de0 <mbfl_encoding_jis>)
    at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/Zend/zend_multibyte.c:150
#3  0x0000000000613880 in exif_process_user_comment (ImageInfo=0x7fffffffae50,
    pszInfoPtr=0x7fffffffaec8, pszEncoding=0x7fffffffaed8,
    szValuePtr=0x7ffff3e71388 'A' <repeats 160 times>, ByteCount=0xa0)
    at /home/vagrant/Sources_Ext/audit/src/php7.0-7.0.4/ext/exif/exif.c:2649

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-19 03:16 UTC] nguyenvuhoang199321 at gmail dot com
Here the crash in php (5.5.34 is default installed on mac os x 10.11.5)
```
(lldb) r exif.php
Process 32368 launched: './php_mac' (x86_64)
Process 32368 stopped
* thread #1: tid = 0x4bacc5, 0x000000010017f8b4 php_mac`mbfl_buffer_converter_new2 + 78, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x000000010017f8b4 php_mac`mbfl_buffer_converter_new2 + 78
php_mac`mbfl_buffer_converter_new2:
->  0x10017f8b4 <+78>: mov    esi, dword ptr [r15]
    0x10017f8b7 <+81>: call   0x100183610               ; mbfl_convert_filter_get_vtbl
    0x10017f8bc <+86>: test   rax, rax
    0x10017f8bf <+89>: je     0x10017f8e7               ; <+129>
(lldb) register read
General Purpose Registers:
       rax = 0x0000000000000000
       rbx = 0x0000000101c65b98
       rcx = 0x0000000000000009
       rdx = 0x00000000ffffffff
       rdi = 0x000000000000002e
       rsi = 0x0000000000000038
       rbp = 0x00007fff5fbfe120
       rsp = 0x00007fff5fbfe100
        r8 = 0x0000000000000000
        r9 = 0x0000000100936780  php_mac.__DATA.__const + 180352
       r10 = 0x0000000101c66110
       r11 = 0x00000000000000b8
       r12 = 0x0000000100936780  php_mac.__DATA.__const + 180352
       r13 = 0x00000000000000a0
       r14 = 0x00000000000000a0
       r15 = 0x0000000000000000
       rip = 0x000000010017f8b4  php_mac`mbfl_buffer_converter_new2 + 78
    rflags = 0x0000000000010202
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000
```
 [2016-07-19 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-07-19 06:23 UTC] stas@php.net
Fix in https://gist.github.com/c660c3f72e69d93874e27f3820a3935b and in security repo as 41131cd41d2fd2e0c2f332a27988df75659c42e4

Please verify.
 [2016-07-19 06:23 UTC] stas@php.net
-PHP Version: 7.0.8 +PHP Version: 5.5.37
 [2016-07-19 06:34 UTC] nguyenvuhoang199321 at gmail dot com
OK, the bug is fixed
 [2016-07-19 07:47 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4
Log: Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
 [2016-07-19 07:47 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-07-19 07:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4
Log: Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
 [2016-07-19 08:39 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4
Log: Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
 [2016-07-19 08:55 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4
Log: Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
 [2016-07-25 15:19 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6292
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4
Log: Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Aug 23 23:01:39 2017 UTC