php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77950 Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG
Submitted: 2019-04-29 03:38 UTC Modified: 2019-04-30 07:06 UTC
From: stas@php.net Assigned:
Status: Closed Package: EXIF related
PHP Version: 7.2Git-2019-04-29 (Git) OS: Linux
Private report: No CVE-ID: 2019-11036
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stas@php.net
New email:
PHP Version: OS:

 

 [2019-04-29 03:38 UTC] stas@php.net 
Description:
------------
Test case from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14050 produces this failure:

INFO: Seed: 4172817174
INFO: Loaded 1 modules   (160646 inline 8-bit counters): 160646 [0x1f78eb0, 0x1fa0236), 
INFO: Loaded 1 PC tables (160646 PCs): 160646 [0x1fa0238,0x2213a98), 
/out/php-fuzz-exif: Running 1 inputs 100 time(s) each.
Running: /testcase
=================================================================
==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000009ee0 at pc 0x0000004e797a bp 0x7fff16bdc500 sp 0x7fff16bdbcc8
READ of size 247 at 0x612000009ee0 thread T0
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
    #0 0x4e7979 in __asan_memcpy /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3
    #1 0xce74b7 in _estrndup /src/php-src/Zend/zend_alloc.c:2639:2
    #2 0x72b2d5 in exif_iif_add_value /src/php-src/ext/exif/exif.c:2099:21
    #3 0x71e9c5 in exif_iif_add_tag /src/php-src/ext/exif/exif.c:2184:2
    #4 0x726717 in exif_process_IFD_TAG /src/php-src/ext/exif/exif.c:3484:2
    #5 0x72843a in exif_process_IFD_in_MAKERNOTE /src/php-src/ext/exif/exif.c:3150:8
    #6 0x7262bb in exif_process_IFD_TAG /src/php-src/ext/exif/exif.c:3435:10
    #7 0x723811 in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4102:12
    #8 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #9 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #10 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #11 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #12 0x721ba1 in exif_scan_FILE_header /src/php-src/ext/exif/exif.c:4185:9
    #13 0x721517 in exif_read_from_impl /src/php-src/ext/exif/exif.c:4310:8
    #14 0x71d770 in exif_read_from_file /src/php-src/ext/exif/exif.c:4354:8
    #15 0x71be58 in zif_exif_read_data /src/php-src/ext/exif/exif.c:4427:9
    #16 0xd3a9ba in zend_call_function /src/php-src/Zend/zend_execute_API.c
    #17 0xd3948c in _call_user_function_ex /src/php-src/Zend/zend_execute_API.c:627:9
    #18 0x106de32 in fuzzer_call_php_func_zval /src/php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #19 0x106e1ce in fuzzer_call_php_func /src/php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #20 0x106d06f in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #21 0x10b2c61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:552:15
    #22 0x107061f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:286:6
    #23 0x107bf23 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:717:9
    #24 0x106fc77 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #25 0x7f93e056582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #26 0x4704a8 in _start (/out/php-fuzz-exif+0x4704a8)

0x612000009ee0 is located 0 bytes to the right of 288-byte region [0x612000009dc0,0x612000009ee0)
allocated by thread T0 here:
    #0 0x4e855d in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0xce70d9 in __zend_malloc /src/php-src/Zend/zend_alloc.c:2933:14
    #2 0x72599a in exif_process_IFD_TAG /src/php-src/ext/exif/exif.c:3238:17
    #3 0x723811 in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4102:12
    #4 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #5 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #6 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #7 0x72368e in exif_process_IFD_in_TIFF /src/php-src/ext/exif/exif.c:4073:7
    #8 0x721ba1 in exif_scan_FILE_header /src/php-src/ext/exif/exif.c:4185:9
    #9 0x721517 in exif_read_from_impl /src/php-src/ext/exif/exif.c:4310:8
    #10 0x71d770 in exif_read_from_file /src/php-src/ext/exif/exif.c:4354:8
    #11 0x71be58 in zif_exif_read_data /src/php-src/ext/exif/exif.c:4427:9
    #12 0xd3a9ba in zend_call_function /src/php-src/Zend/zend_execute_API.c
    #13 0xd3948c in _call_user_function_ex /src/php-src/Zend/zend_execute_API.c:627:9
    #14 0x106de32 in fuzzer_call_php_func_zval /src/php-src/sapi/fuzzer/fuzzer-sapi.c:222:11
    #15 0x106e1ce in fuzzer_call_php_func /src/php-src/sapi/fuzzer/fuzzer-sapi.c:244:2
    #16 0x106d06f in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-exif.c:50:2
    #17 0x10b2c61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:552:15
    #18 0x107061f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:286:6
    #19 0x107bf23 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:717:9
    #20 0x106fc77 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #21 0x7f93e056582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-29 03:39 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11036
 [2019-04-29 04:16 UTC] stas@php.net 
Weird thing: reproduces with -runs=43 but not with -runs=42. I wonder what could cause such effect.
 [2019-04-30 07:06 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f80ad18afae2230c2c1802c7d829100af646874e
Log: Fix bug #77950 - Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG
 [2019-04-30 07:06 UTC] stas@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 11:01:33 2024 UTC