php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE
Submitted: 2019-02-04 07:50 UTC Modified: 2019-03-08 23:58 UTC
From: chamal dot desilva at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.26 OS: Windows, Linux
Private report: No CVE-ID: 2019-9638
 [2019-02-04 07:50 UTC] chamal dot desilva at gmail dot com
Description:
------------
Version
-------
PHP 7.3.1
PHP 7.4.0-dev (cli)

Description
------------
This bug is caused by below lines of ext/exif/exif.c file's exif_process_IFD_in_MAKERNOTE method.

....
//This condition checks whether maker_note->offset exceeds value_len.
if (maker_note->offset >= value_len) {
  exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
  return FALSE;
}

dir_start = value_ptr + maker_note->offset;
....
....
//Then reads 2 bytes of data. So if maker_note->offset is 1 less than value_len, then last byte read contains uninitialized data.
NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
....

Configure Line
---------------
./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear


Test script:
---------------
<?php
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e1003c4578696600004d4d002a0000000c000000000002010f00010000000500000026927c0001000000090000002b4e494b4f4e4e696b6f6e00010000"));
$s = exif_thumbnail($img);
?>


Actual result:
--------------
Valgrind Output
---------------

Source line numbers are from PHP 7.3.1

export USE_ZEND_ALLOC=0
export ZEND_DONT_UNLOAD_MODULES=1
valgrind bin/php test.php

==3590== Conditional jump or move depends on uninitialised value(s)
==3590==    at 0x24D2B3: exif_process_IFD_in_MAKERNOTE (exif.c:3186)
==3590==    by 0x24E2E5: exif_process_IFD_TAG (exif.c:3473)
==3590==    by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555)
==3590==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3590==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3590==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3590==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3590==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3590==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3590==    by 0x252045: zif_exif_thumbnail (exif.c:4621)
==3590==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3590==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3590== 
==3590== Conditional jump or move depends on uninitialised value(s)
==3590==    at 0x24D343: exif_process_IFD_in_MAKERNOTE (exif.c:3191)
==3590==    by 0x24E2E5: exif_process_IFD_TAG (exif.c:3473)
==3590==    by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555)
==3590==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3590==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3590==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3590==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3590==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3590==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3590==    by 0x252045: zif_exif_thumbnail (exif.c:4621)
==3590==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3590==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-12 01:10 UTC] chamal dot desilva at gmail dot com
Does this bug reproduce?
 [2019-03-02 23:13 UTC] stas@php.net
-Status: Open +Status: Assigned -PHP Version: 7.3.1 +PHP Version: 7.1.26 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2019-03-02 23:13 UTC] stas@php.net
The fix in security repo as 6c4d81b524cf664748dd89579aa9157a5955f8b0 and in https://gist.github.com/smalyshev/fbbd9da6f200cf3ce1baebc8d133d179

Please verify.
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8ac6fee8562533a15db90062117210ed28b44fea
Log: Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b82437eeddadf6a3a8c0f492acb6861682cd4d93
Log: Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE
 [2019-03-08 23:58 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9638
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Jul 20 15:01:26 2019 UTC