php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE
Submitted: 2019-02-04 07:50 UTC Modified: 2019-03-08 23:58 UTC
From: chamal dot desilva at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.26 OS: Windows, Linux
Private report: No CVE-ID: 2019-9638
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: chamal dot desilva at gmail dot com
New email:
PHP Version: OS:

 

 [2019-02-04 07:50 UTC] chamal dot desilva at gmail dot com
Description:
------------
Version
-------
PHP 7.3.1
PHP 7.4.0-dev (cli)

Description
------------
This bug is caused by below lines of ext/exif/exif.c file's exif_process_IFD_in_MAKERNOTE method.

....
//This condition checks whether maker_note->offset exceeds value_len.
if (maker_note->offset >= value_len) {
  exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
  return FALSE;
}

dir_start = value_ptr + maker_note->offset;
....
....
//Then reads 2 bytes of data. So if maker_note->offset is 1 less than value_len, then last byte read contains uninitialized data.
NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
....

Configure Line
---------------
./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear


Test script:
---------------
<?php
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e1003c4578696600004d4d002a0000000c000000000002010f00010000000500000026927c0001000000090000002b4e494b4f4e4e696b6f6e00010000"));
$s = exif_thumbnail($img);
?>


Actual result:
--------------
Valgrind Output
---------------

Source line numbers are from PHP 7.3.1

export USE_ZEND_ALLOC=0
export ZEND_DONT_UNLOAD_MODULES=1
valgrind bin/php test.php

==3590== Conditional jump or move depends on uninitialised value(s)
==3590==    at 0x24D2B3: exif_process_IFD_in_MAKERNOTE (exif.c:3186)
==3590==    by 0x24E2E5: exif_process_IFD_TAG (exif.c:3473)
==3590==    by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555)
==3590==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3590==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3590==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3590==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3590==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3590==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3590==    by 0x252045: zif_exif_thumbnail (exif.c:4621)
==3590==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3590==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)
==3590== 
==3590== Conditional jump or move depends on uninitialised value(s)
==3590==    at 0x24D343: exif_process_IFD_in_MAKERNOTE (exif.c:3191)
==3590==    by 0x24E2E5: exif_process_IFD_TAG (exif.c:3473)
==3590==    by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555)
==3590==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3590==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3590==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3590==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3590==    by 0x250664: exif_read_from_impl (exif.c:4344)
==3590==    by 0x2506CF: exif_read_from_stream (exif.c:4361)
==3590==    by 0x252045: zif_exif_thumbnail (exif.c:4621)
==3590==    by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==3590==    by 0x59146D: execute_ex (zend_vm_execute.h:55418)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-12 01:10 UTC] chamal dot desilva at gmail dot com
Does this bug reproduce?
 [2019-03-02 23:13 UTC] stas@php.net
-Status: Open +Status: Assigned -PHP Version: 7.3.1 +PHP Version: 7.1.26 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2019-03-02 23:13 UTC] stas@php.net
The fix in security repo as 6c4d81b524cf664748dd89579aa9157a5955f8b0 and in https://gist.github.com/smalyshev/fbbd9da6f200cf3ce1baebc8d133d179

Please verify.
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8ac6fee8562533a15db90062117210ed28b44fea
Log: Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b82437eeddadf6a3a8c0f492acb6861682cd4d93
Log: Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE
 [2019-03-08 23:58 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9638
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 13:01:27 2024 UTC