php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77950 Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG
Submitted: 2019-04-29 03:38 UTC Modified: 2019-04-30 07:06 UTC
From: stas@php.net Assigned:
Status: Closed Package: EXIF related
PHP Version: 7.2Git-2019-04-29 (Git) OS: Linux
Private report: No CVE-ID: 2019-11036
 [2019-04-29 03:38 UTC] stas@php.net
Description:
------------
Test case from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14050 produces this failure:

INFO: Seed: 4172817174
INFO: Loaded 1 modules   (160646 inline 8-bit counters): 160646 [0x1f78eb0, 0x1fa0236), 
INFO: Loaded 1 PC tables (160646 PCs): 160646 [0x1fa0238,0x2213a98), 
/out/php-fuzz-exif: Running 1 inputs 100 time(s) each.
Running: /testcase
=================================================================
==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000009ee0 at pc 0x0000004e797a bp 0x7fff16bdc500 sp 0x7fff16bdbcc8
READ of size 247 at 0x612000009ee0 thread T0
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
    #0 0x4e7979 in __asan_memcpy /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3
    #1 0xce74b7 in _estrndup /src/php-src/Zend/zend_alloc.c:2639:2
    #2 0x72b2d5 in exif_iif_add_value /src/php-src/ext/exif/exif.c:2099:21
    #3 0x71e9c5 in exif_iif_add_tag /src/php-src/ext/exif/exif.c:2184:2
    #4 0x726717 in exif_process_IFD_TAG /src/php-src/ext/exif/exif.c:3484:2
    #5 0x72843a in exif_process_IFD_in_MAKERNOTE /src/php-src/ext/exif/exif.c:3150:8
    #6 0x7262bb in exif_process_IFD_TAG /src/php-src/ext/exif/exif.c:3435:10
    #7 0x723811 in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4102:12
    #8 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #9 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #10 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #11 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #12 0x721ba1 in exif_scan_FILE_header /src/php-src/ext/exif/exif.c:4185:9
    #13 0x721517 in exif_read_from_impl /src/php-src/ext/exif/exif.c:4310:8
    #14 0x71d770 in exif_read_from_file /src/php-src/ext/exif/exif.c:4354:8
    #15 0x71be58 in zif_exif_read_data /src/php-src/ext/exif/exif.c:4427:9
    #16 0xd3a9ba in zend_call_function /src/php-src/Zend/zend_execute_API.c
    #17 0xd3948c in _call_user_function_ex /src/php-src/Zend/zend_execute_API.c:627:9
    #18 0x106de32 in fuzzer_call_php_func_zval /src/php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #19 0x106e1ce in fuzzer_call_php_func /src/php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #20 0x106d06f in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #21 0x10b2c61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:552:15
    #22 0x107061f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:286:6
    #23 0x107bf23 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:717:9
    #24 0x106fc77 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #25 0x7f93e056582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #26 0x4704a8 in _start (/out/php-fuzz-exif+0x4704a8)

0x612000009ee0 is located 0 bytes to the right of 288-byte region [0x612000009dc0,0x612000009ee0)
allocated by thread T0 here:
    #0 0x4e855d in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0xce70d9 in __zend_malloc /src/php-src/Zend/zend_alloc.c:2933:14
    #2 0x72599a in exif_process_IFD_TAG /src/php-src/ext/exif/exif.c:3238:17
    #3 0x723811 in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4102:12
    #4 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #5 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #6 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #7 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #8 0x721ba1 in exif_scan_FILE_header /src/php-src/ext/exif/exif.c:4185:9
    #9 0x721517 in exif_read_from_impl /src/php-src/ext/exif/exif.c:4310:8
    #10 0x71d770 in exif_read_from_file /src/php-src/ext/exif/exif.c:4354:8
    #11 0x71be58 in zif_exif_read_data /src/php-src/ext/exif/exif.c:4427:9
    #12 0xd3a9ba in zend_call_function /src/php-src/Zend/zend_execute_API.c
    #13 0xd3948c in _call_user_function_ex /src/php-src/Zend/zend_execute_API.c:627:9
    #14 0x106de32 in fuzzer_call_php_func_zval /src/php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #15 0x106e1ce in fuzzer_call_php_func /src/php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #16 0x106d06f in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #17 0x10b2c61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:552:15
    #18 0x107061f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:286:6
    #19 0x107bf23 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:717:9
    #20 0x106fc77 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #21 0x7f93e056582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-29 03:39 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11036
 [2019-04-29 04:16 UTC] stas@php.net
Weird thing: reproduces with -runs=43 but not with -runs=42. I wonder what could cause such effect.
 [2019-04-30 07:06 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f80ad18afae2230c2c1802c7d829100af646874e
Log: Fix bug #77950 - Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG
 [2019-04-30 07:06 UTC] stas@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 07:01:24 2019 UTC