php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE
Submitted: 2019-02-23 13:50 UTC Modified: 2019-03-12 19:56 UTC
From: chamal dot desilva at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.3.2 OS: Windows, Linux
Private report: No CVE-ID: 2019-9639
 [2019-02-23 13:50 UTC] chamal dot desilva at gmail dot com
Description:
------------
exif_process_IFD_in_MAKERNOTE method of ext/exif/exif.c file has this variable declaration.

int data_len; //It is not initialized on declaration.

Value is set to data_len variable in below switch case.
But a value is not set to data_len variable, in default and MN_OFFSET_NORMAL cases

...
switch (maker_note->offset_mode) {
  case MN_OFFSET_MAKER:
    offset_base = value_ptr;
    data_len = value_len;
    break;

  case MN_OFFSET_GUESS:
    ...
    offset_base = value_ptr + offset_diff;
    data_len = value_len - offset_diff;
    break;

  default:
  case MN_OFFSET_NORMAL:
   break;
	}
.....

PHP Versions
------------
PHP 8.0.0-dev (cli) (built: Feb 22 2019 18:33:06)
PHP 7.3.2 (cli) (built: Feb 23 2019 18:07:24) ( NTS DEBUG )

Configure Line
--------------
./configure --prefix=/php/install --enable-cli --enable-exif --enable-debug --without-pear


Test script:
---------------
<?php
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e1003c4578696600004d4d002a0000000c000000000002010f00010000000500000026927c0001000000120000002b4e494b4f4e4e696b6f6e00000000010000000100000005"));
$s = exif_thumbnail($img);
?>


Actual result:
--------------
Valgrind
---------
export USE_ZEND_ALLOC=0
export ZEND_DONT_UNLOAD_MODULES=1
valgrind bin/php test.php

Source lines are from PHP 7.3.2.

==12021== Conditional jump or move depends on uninitialised value(s)
==12021==    at 0x486484: exif_process_IFD_TAG (exif.c:3262)
==12021==    by 0x486125: exif_process_IFD_in_MAKERNOTE (exif.c:3192)
==12021==    by 0x4872CE: exif_process_IFD_TAG (exif.c:3473)
==12021==    by 0x4876F0: exif_process_IFD_in_JPEG (exif.c:3555)
==12021==    by 0x487A68: exif_process_TIFF_in_JPEG (exif.c:3644)
==12021==    by 0x487B62: exif_process_APP1 (exif.c:3669)
==12021==    by 0x488187: exif_scan_JPEG_header (exif.c:3814)
==12021==    by 0x48942D: exif_scan_FILE_header (exif.c:4203)
==12021==    by 0x489EB4: exif_read_from_impl (exif.c:4344)
==12021==    by 0x489F2F: exif_read_from_stream (exif.c:4361)
==12021==    by 0x48BA43: zif_exif_thumbnail (exif.c:4621)
==12021==    by 0x7E5579: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-03 07:49 UTC] stas@php.net
Fix in the patch for bug #77563 (since it's a one-liner, I don't want to make separate patch just for it).
 [2019-03-04 07:38 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2019-03-04 07:38 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2019-03-12 19:56 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9639
 [2019-07-02 15:21 UTC] d at gmail dot com
<marquee>test</marquee>
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Nov 18 13:01:38 2019 UTC