go to bug id or search bugs for
USE_ZEND_ALLOC=0 ./php-e147eb2 -r 'exif_read_data(file_get_contents("/full/path/to/test.jpg"));'
echo "Lw==" | base64 -d > test.jpg
od -tx1 test.jpg
==15865==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000ad0 at pc 0x0000013d8100 bp 0x7fff9778bda0 sp 0x7fff9778bd98
READ of size 8 at 0x611000000ad0 thread T0
#0 0x13d80ff in _php_stream_free /root/php-7.2.6/main/streams/streams.c:373:13
#1 0xe4a08f in exif_read_from_file /root/php-7.2.6/ext/exif/exif.c:4411:2
#2 0xe4a08f in zif_exif_read_data /root/php-7.2.6/ext/exif/exif.c:4482
#3 0x18692f5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.2.6/Zend/zend_vm_execute.h:573:2
#4 0x1683367 in execute_ex /root/php-7.2.6/Zend/zend_vm_execute.h:59723:7
#5 0x1683aa5 in zend_execute /root/php-7.2.6/Zend/zend_vm_execute.h:63760:2
#6 0x14fdb5c in zend_eval_stringl /root/php-7.2.6/Zend/zend_execute_API.c:1082:4
#7 0x14fe3a7 in zend_eval_stringl_ex /root/php-7.2.6/Zend/zend_execute_API.c:1123:11
#8 0x14fe3a7 in zend_eval_string_ex /root/php-7.2.6/Zend/zend_execute_API.c:1134
#9 0x196fd32 in do_cli /root/php-7.2.6/sapi/cli/php_cli.c:1042:8
#10 0x196dd4f in main /root/php-7.2.6/sapi/cli/php_cli.c:1404:18
#11 0x7fb432b3382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x43bd68 in _start (/root/php-7.2.6/sapi/cli/php+0x43bd68)
0x611000000ad0 is located 144 bytes inside of 224-byte region [0x611000000a40,0x611000000b20)
freed by thread T0 here:
#0 0x4e2c32 in free /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:78:3
#1 0x13d7f53 in _php_stream_free /root/php-7.2.6/main/streams/streams.c:511:3
previously allocated by thread T0 here:
#0 0x4e2f73 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
#1 0x147855a in __zend_malloc /root/php-7.2.6/Zend/zend_alloc.c:2829:14
#2 0x13ed4b3 in _php_stream_fopen_from_fd_int /root/php-7.2.6/main/streams/plain_wrapper.c:186:9
#3 0x13ed4b3 in _php_stream_fopen_from_fd /root/php-7.2.6/main/streams/plain_wrapper.c:248
SUMMARY: AddressSanitizer: heap-use-after-free /root/php-7.2.6/main/streams/streams.c:373:13 in _php_stream_free
Add a Patch
Add a Pull Request
Thanks for reporting this issue.
It seems to me the avoid-double-free.patch fixes the bug.
The following patch has been added/updated:
Patch Name: avoid-double-free.patch
Automatic comment on behalf of email@example.com
Log: Fix #76409: heap use after free in _php_stream_free
FYI, this affects the 7.2.6 release as well, but I haven't tested other versions.
Indeed, PHP-7.2 as well as master have been affected (but not
earlier version branches), and both have been fixed.
CVE-2018-12882 has been assigned to this bug.
Requesting a CVE for a bug which had been reported and discussed
publicly is pretty strange.
Stas, would do you think?
I don't think CVE has something to do with publicity. CVE is an issue identifier, which allows to track it across distributions, builds, etc. and which is issued for security issues. It doesn't matter whether it was disclosed publicly or not and which version fixes it - CVE allows to track security issues in every version and thus to have a picture which issue is fixed where.
It looks like this one also should be a security issue since exif bugs usually deal with external data. Not sure where this fix has been applied and whether it need a backport, will check.
The fix has been committed to PHP-7.2 and master (older branches
are not affected); it has missed PHP 7.2.7, though, since it has
not been regarded as security fix.