php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77564 Memory leak in exif_process_IFD_TAG
Submitted: 2019-02-04 07:57 UTC Modified: 2019-02-11 22:17 UTC
From: chamal dot desilva at gmail dot com Assigned: ramsey (profile)
Status: Closed Package: EXIF related
PHP Version: 7.3.1 OS: Windows, Linux
Private report: No CVE-ID: None
 [2019-02-04 07:57 UTC] chamal dot desilva at gmail dot com
Description:
------------
Version
--------
PHP 7.4.0-dev (cli)
PHP 7.3.1

Description
-----------

This bug is caused by below lines of ext/exif/exif.c file's exif_process_IFD_TAG method.

...
case TAG_USERCOMMENT:
  ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count);
  break;
...

If the image has multiple exif comment tags, exif_process_IFD_TAG or exif_process_user_comment methods do not free already allocated memory
for ImageInfo->UserComment and ImageInfo->UserCommentEncoding, before setting new values.

Configure Line
---------------
./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear

Test script:
---------------
<?php
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e100464578696600004d4d002a0000000c000000000002928600010000000c00000026928600010000000c00000032554e49434f44450041414141554e49434f44450041414141"));
$s = exif_thumbnail($img);
?>


Actual result:
--------------
Valgrind Output
---------------
Source line numbers are from PHP 7.3.1

export USE_ZEND_ALLOC=0
export ZEND_DONT_UNLOAD_MODULES=1
valgrind --leak-check=yes bin/php test.php

=3566== 5 bytes in 1 blocks are definitely lost in loss record 1 of 2
==3566==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3566==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3566==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3566==    by 0x49FAE1: _safe_emalloc (zend_alloc.c:2556)
==3566==    by 0x24CC5A: exif_process_string_raw (exif.c:2958)
==3566==    by 0x24CE82: exif_process_user_comment (exif.c:3028)
==3566==    by 0x24DE92: exif_process_IFD_TAG (exif.c:3381)
==3566==    by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555)
==3566==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3566==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3566==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3566==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3566== 
==3566== 8 bytes in 1 blocks are definitely lost in loss record 2 of 2
==3566==    at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3566==    by 0x4A0495: __zend_malloc (zend_alloc.c:2904)
==3566==    by 0x49F82D: _emalloc (zend_alloc.c:2494)
==3566==    by 0x49FC96: _estrdup (zend_alloc.c:2593)
==3566==    by 0x24CD8E: exif_process_user_comment (exif.c:2999)
==3566==    by 0x24DE92: exif_process_IFD_TAG (exif.c:3381)
==3566==    by 0x24E664: exif_process_IFD_in_JPEG (exif.c:3555)
==3566==    by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644)
==3566==    by 0x24EA03: exif_process_APP1 (exif.c:3669)
==3566==    by 0x24EECE: exif_scan_JPEG_header (exif.c:3814)
==3566==    by 0x24FDF5: exif_scan_FILE_header (exif.c:4203)
==3566==    by 0x250664: exif_read_from_impl (exif.c:4344)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-10 01:59 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-02-10 18:56 UTC] ramsey@php.net
The following pull request has been associated:

Patch Name: Fix #77564: Memory leak in exif_process_IFD_TAG
On GitHub:  https://github.com/php/php-src/pull/3817
Patch:      https://github.com/php/php-src/pull/3817.patch
 [2019-02-11 22:17 UTC] ramsey@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: ramsey
 [2019-02-12 08:29 UTC] nikic@php.net
Automatic comment on behalf of ben@benramsey.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4294440ffc4a59a1298292b76072e6759034a68
Log: Fixed bug #77564: Memory leak in exif_process_IFD_TAG
 [2019-02-12 08:29 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 02:01:26 2024 UTC