php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76558 heap-buffer-overflow (READ of size 1) in php_ifd_get32s
Submitted: 2018-07-01 00:48 UTC Modified: 2018-07-16 23:57 UTC
From: geeknik at protonmail dot ch Assigned: kalle (profile)
Status: Duplicate Package: EXIF related
PHP Version: 5.6.36 OS: Debian 9 x64
Private report: No CVE-ID: n/a
 [2018-07-01 00:48 UTC] geeknik at protonmail dot ch
Description:
------------
USE_ZEND_ALLOC=0 ./php-7.2.7 -r '$exif = exif_read_data("http://dtf.pw/php727/poc/630/test003.jpeg"); var_dump($exif);'

Expected result:
----------------
No crash.

Actual result:
--------------
==4598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000121b1 at pc 0x000000e04b2e bp 0x7ffc0d69d5d0 sp 0x7ffc0d69d5c8
READ of size 1 at 0x61d0000121b1 thread T0
    #0 0xe04b2d in php_ifd_get32s /root/php-7.2.7/ext/exif/exif.c:1496:12
    #1 0xe04b2d in php_ifd_get32u /root/php-7.2.7/ext/exif/exif.c:1508
    #2 0xe04b2d in exif_iif_add_value /root/php-7.2.7/ext/exif/exif.c:2170
    #3 0xe04b2d in exif_iif_add_tag /root/php-7.2.7/ext/exif/exif.c:2199
    #4 0xe0b818 in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3543:2
    #5 0xe0bccf in exif_process_IFD_in_MAKERNOTE /root/php-7.2.7/ext/exif/exif.c:3213:8
    #6 0xe0bccf in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3494
    #7 0xe08c15 in exif_process_IFD_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3576:8
    #8 0xe0ac0e in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3534:11
    #9 0xe08c15 in exif_process_IFD_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3576:8
    #10 0xe014c0 in exif_process_TIFF_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3665:2
    #11 0xe014c0 in exif_process_APP1 /root/php-7.2.7/ext/exif/exif.c:3690
    #12 0xe014c0 in exif_scan_JPEG_header /root/php-7.2.7/ext/exif/exif.c:3835
    #13 0xe014c0 in exif_scan_FILE_header /root/php-7.2.7/ext/exif/exif.c:4224
    #14 0xe014c0 in exif_read_from_impl /root/php-7.2.7/ext/exif/exif.c:4365
    #15 0xe014c0 in exif_read_from_stream /root/php-7.2.7/ext/exif/exif.c:4382
    #16 0xdf8f18 in exif_read_from_file /root/php-7.2.7/ext/exif/exif.c:4409:8
    #17 0xdf8f18 in zif_exif_read_data /root/php-7.2.7/ext/exif/exif.c:4482
    #18 0x17c5d34 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.2.7/Zend/zend_vm_execute.h:617:2
    #19 0x15ed419 in execute_ex /root/php-7.2.7/Zend/zend_vm_execute.h:59723:7
    #20 0x15eda9a in zend_execute /root/php-7.2.7/Zend/zend_vm_execute.h:63760:2
    #21 0x14758eb in zend_eval_stringl /root/php-7.2.7/Zend/zend_execute_API.c:1082:4
    #22 0x1475fb9 in zend_eval_stringl_ex /root/php-7.2.7/Zend/zend_execute_API.c:1123:11
    #23 0x1475fb9 in zend_eval_string_ex /root/php-7.2.7/Zend/zend_execute_API.c:1134
    #24 0x18c4aea in do_cli /root/php-7.2.7/sapi/cli/php_cli.c:1044:8
    #25 0x18c2c03 in main /root/php-7.2.7/sapi/cli/php_cli.c:1405:18
    #26 0x7f41337022e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #27 0x427479 in _start (/root/php-7.2.7/sapi/cli/php+0x427479)

0x61d0000121b1 is located 0 bytes to the right of 2353-byte region [0x61d000011880,0x61d0000121b1)
allocated by thread T0 here:
    #0 0x4cf373 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x13f455b in __zend_malloc /root/php-7.2.7/Zend/zend_alloc.c:2829:14
    #2 0xe00a82 in exif_file_sections_add /root/php-7.2.7/ext/exif/exif.c:2014:10
    #3 0xe00a82 in exif_scan_JPEG_header /root/php-7.2.7/ext/exif/exif.c:3789
    #4 0xe00a82 in exif_scan_FILE_header /root/php-7.2.7/ext/exif/exif.c:4224
    #5 0xe00a82 in exif_read_from_impl /root/php-7.2.7/ext/exif/exif.c:4365
    #6 0xe00a82 in exif_read_from_stream /root/php-7.2.7/ext/exif/exif.c:4382
    #7 0xdf8f18 in exif_read_from_file /root/php-7.2.7/ext/exif/exif.c:4409:8
    #8 0xdf8f18 in zif_exif_read_data /root/php-7.2.7/ext/exif/exif.c:4482
    #9 0x17c5d34 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.2.7/Zend/zend_vm_execute.h:617:2
    #10 0x15ed419 in execute_ex /root/php-7.2.7/Zend/zend_vm_execute.h:59723:7
    #11 0x15eda9a in zend_execute /root/php-7.2.7/Zend/zend_vm_execute.h:63760:2
    #12 0x14758eb in zend_eval_stringl /root/php-7.2.7/Zend/zend_execute_API.c:1082:4
    #13 0x1475fb9 in zend_eval_stringl_ex /root/php-7.2.7/Zend/zend_execute_API.c:1123:11
    #14 0x1475fb9 in zend_eval_string_ex /root/php-7.2.7/Zend/zend_execute_API.c:1134
    #15 0x18c4aea in do_cli /root/php-7.2.7/sapi/cli/php_cli.c:1044:8
    #16 0x18c2c03 in main /root/php-7.2.7/sapi/cli/php_cli.c:1405:18
    #17 0x7f41337022e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/php-7.2.7/ext/exif/exif.c:1496:12 in php_ifd_get32s

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-02 03:02 UTC] stas@php.net
-PHP Version: 7.2.7 +PHP Version: 5.6.36 -Assigned To: +Assigned To: kalle -CVE-ID: +CVE-ID: needed
 [2018-07-02 05:26 UTC] stas@php.net
Looks like the fix for bug #76557 also fixes this one. Please verify.
 [2018-07-03 05:46 UTC] stas@php.net
-Status: Assigned +Status: Duplicate
 [2018-07-03 05:46 UTC] stas@php.net
Duplicate of bug # 76557, same fix.
 [2018-07-16 23:57 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: n/a
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 06:01:35 2019 UTC