php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77831 Heap-buffer-overflow in exif_iif_add_value in EXIF
Submitted: 2019-04-02 06:44 UTC Modified: 2019-04-15 06:53 UTC
From: stas@php.net Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.27 OS: *
Private report: No CVE-ID: 2019-11035
 [2019-04-02 06:44 UTC] stas@php.net
Description:
------------
Another OSS-Fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13938

Backtrace:

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400002cb7a at pc 0x00000071d6bb bp 0x7ffdd43127c0 sp 0x7ffdd43127b8
READ of size 8 at 0x60400002cb7a thread T0
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
    #0 0x71d6ba in exif_iif_add_value php-src/ext/exif/exif.c:2158:23
    #1 0x71144f in exif_iif_add_tag php-src/ext/exif/exif.c:2173:2
    #2 0x718c3f in exif_process_IFD_TAG php-src/ext/exif/exif.c:3530:2
    #3 0x7171e8 in exif_process_IFD_in_JPEG php-src/ext/exif/exif.c:3563:8
    #4 0x716e92 in exif_process_TIFF_in_JPEG php-src/ext/exif/exif.c:3652:2
    #5 0x714b87 in exif_scan_JPEG_header php-src/ext/exif/exif.c:3822:6
    #6 0x714417 in exif_scan_FILE_header php-src/ext/exif/exif.c:4215:8
    #7 0x713df7 in exif_read_from_impl php-src/ext/exif/exif.c:4356:8
    #8 0x710139 in exif_read_from_file php-src/ext/exif/exif.c:4400:8
    #9 0x70e842 in zif_exif_read_data php-src/ext/exif/exif.c:4473:9
    #10 0xcd44c1 in zend_call_function php-src/Zend/zend_execute_API.c:790:4
    #11 0xcd31c9 in _call_user_function_ex php-src/Zend/zend_execute_API.c:627:9
    #12 0xfded5d in fuzzer_call_php_func_zval php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #13 0xfdf0fc in fuzzer_call_php_func php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #14 0xfde05b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #15 0xfe11aa in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:156:5
    #16 0xfe1411 in main /src/libfuzzer/afl/afl_driver.cpp:193:12
    #17 0x7f216285b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    #18 0x4640a8 in _start
0x60400002cb7f is located 0 bytes to the right of 47-byte region [0x60400002cb50,0x60400002cb7f)
allocated by thread T0 here:
    #0 0x4f6f62 in malloc _asan_rtl_
    #1 0xc8518d in __zend_malloc php-src/Zend/zend_alloc.c:2937:14
    #2 0x7168a6 in exif_file_sections_add php-src/ext/exif/exif.c:1988:10
    #3 0x7149f8 in exif_scan_JPEG_header php-src/ext/exif/exif.c:3776:8
    #4 0x714417 in exif_scan_FILE_header php-src/ext/exif/exif.c:4215:8
    #5 0x713df7 in exif_read_from_impl php-src/ext/exif/exif.c:4356:8
    #6 0x710139 in exif_read_from_file php-src/ext/exif/exif.c:4400:8
    #7 0x70e842 in zif_exif_read_data php-src/ext/exif/exif.c:4473:9
    #8 0xcd44c1 in zend_call_function php-src/Zend/zend_execute_API.c:790:4
    #9 0xcd31c9 in _call_user_function_ex php-src/Zend/zend_execute_API.c:627:9
    #10 0xfded5d in fuzzer_call_php_func_zval php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #11 0xfdf0fc in fuzzer_call_php_func php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #12 0xfde05b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #13 0xfe11aa in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:156:5
    #14 0xfe1411 in main /src/libfuzzer/afl/afl_driver.cpp:193:12
    #15 0x7f216285b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-02 06:45 UTC] stas@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-04-02 06:45 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2019-04-02 06:46 UTC] stas@php.net
Looks like exif_iif_add_tag and exif_iif_add_value do not check the length of the values that are supplied to them. Probably needs to be fixed.
 [2019-04-02 07:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=887a7b571407f7a49a5e7cf1e612d21ef83fedb4
Log: Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value in EXIF
 [2019-04-02 07:13 UTC] stas@php.net
-Status: Open +Status: Closed
 [2019-04-02 15:03 UTC] pollita@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=330f1716df49c0d3474c18b6dcd370a9dcf57422
Log: Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value in EXIF
 [2019-04-15 06:53 UTC] stas@php.net
-Assigned To: +Assigned To: stas -CVE-ID: needed +CVE-ID: 2019-11035
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu May 23 23:01:26 2019 UTC