php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78222 heap-buffer-overflow on exif_scan_thumbnail
Submitted: 2019-06-27 21:43 UTC Modified: 2019-07-29 20:21 UTC
From: orestiskourides at gmail dot com Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.1.30 OS: Linux
Private report: No CVE-ID: 2019-11041
 [2019-06-27 21:43 UTC] orestiskourides at gmail dot com
Description:
------------
==14771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001712 at pc 0x0000004523c2 bp 0x7ffd91582ab0 sp 0x7ffd91582240
READ of size 3 at 0x602000001712 thread T0
SCARINESS: 15 (3-byte-read-heap-buffer-overflow)
    #0 0x4523c1 in __interceptor_memcmp /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:690:7
    #1 0x72ac2d in exif_scan_thumbnail /home/ninja/php/php-7.3.6/ext/exif/exif.c:3898:6
    #2 0x728462 in zif_exif_read_data /home/ninja/php/php-7.3.6/ext/exif/exif.c:4583:4
    #3 0xe259ce in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/ninja/php/php-7.3.6/Zend/zend_vm_execute.h:645:2
    #4 0xd22ed3 in execute_ex /home/ninja/php/php-7.3.6/Zend/zend_vm_execute.h:55334:7
    #5 0xd235fc in zend_execute /home/ninja/php/php-7.3.6/Zend/zend_vm_execute.h:60881:2
    #6 0xbe4f1c in zend_execute_scripts /home/ninja/php/php-7.3.6/Zend/zend.c:1568:4
    #7 0xa3d95d in php_execute_script /home/ninja/php/php-7.3.6/main/main.c:2630:14
    #8 0xf22877 in do_cli /home/ninja/php/php-7.3.6/sapi/cli/php_cli.c:997:5
    #9 0xf1f656 in main /home/ninja/php/php-7.3.6/sapi/cli/php_cli.c:1389:18
    #10 0x7f4194434b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x4395b9 in _start (/home/ninja/php/php-7.3.6_asan/sapi/cli/php+0x4395b9)

0x602000001712 is located 0 bytes to the right of 2-byte region [0x602000001710,0x602000001712)
allocated by thread T0 here:
    #0 0x4e02ac in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0xb39a2e in __zend_malloc /home/ninja/php/php-7.3.6/Zend/zend_alloc.c:2903:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:690:7 in __interceptor_memcmp


Test script:
---------------
<?
$img = fopen("php://memory","r+");
fwrite($img,hex2bin("ffd8e100554578696600004d4d002a0000000c30303030000000000012000302020001000000010100303001110001000000013d3030300101000100000001303030303030303030ffd8ff30003030303025303030303030da0002"));
$test=exif_read_data($img, 'THUMBNAIL', FALSE, TRUE);
?>


Expected result:
----------------
No crash

Actual result:
--------------
==22203== Memcheck, a memory error detector
==22203== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==22203== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==22203== Command: sapi/cli/php test.php
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5E0308: zend_register_ini_entries (zend_ini.c:261)
==22203==    by 0x5660B0: php_module_startup (main.c:2275)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x5CD98D: zend_register_internal_class (zend_API.c:2775)
==22203==    by 0x5CD98D: zend_register_internal_class_ex (zend_API.c:2747)
==22203==    by 0x5E6A8A: zend_register_default_exception (zend_exceptions.c:827)
==22203==    by 0x602C5A: zend_register_default_classes (zend_default_classes.c:32)
==22203==    by 0x5DB523: zm_startup_core (zend_builtin_functions.c:307)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CFC06: zval_make_interned_string (zend_API.c:3697)
==22203==    by 0x5CFC06: zend_declare_property_ex (zend_API.c:3723)
==22203==    by 0x5CFF7D: zend_declare_property (zend_API.c:3793)
==22203==    by 0x5D011E: zend_declare_property_string (zend_API.c:3840)
==22203==    by 0x5E6AD6: zend_register_default_exception (zend_exceptions.c:831)
==22203==    by 0x602C5A: zend_register_default_classes (zend_default_classes.c:32)
==22203==    by 0x5DB523: zm_startup_core (zend_builtin_functions.c:307)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CFDA3: zend_declare_property_ex (zend_API.c:3768)
==22203==    by 0x5CFF7D: zend_declare_property (zend_API.c:3793)
==22203==    by 0x5D011E: zend_declare_property_string (zend_API.c:3840)
==22203==    by 0x5E6AF7: zend_register_default_exception (zend_exceptions.c:832)
==22203==    by 0x602C5A: zend_register_default_classes (zend_default_classes.c:32)
==22203==    by 0x5DB523: zm_startup_core (zend_builtin_functions.c:307)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CFDA3: zend_declare_property_ex (zend_API.c:3768)
==22203==    by 0x5CFF7D: zend_declare_property (zend_API.c:3793)
==22203==    by 0x5D002A: zend_declare_property_long (zend_API.c:3822)
==22203==    by 0x5E6B15: zend_register_default_exception (zend_exceptions.c:833)
==22203==    by 0x602C5A: zend_register_default_classes (zend_default_classes.c:32)
==22203==    by 0x5DB523: zm_startup_core (zend_builtin_functions.c:307)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CFDA3: zend_declare_property_ex (zend_API.c:3768)
==22203==    by 0x5CFF7D: zend_declare_property (zend_API.c:3793)
==22203==    by 0x5CFFCA: zend_declare_property_null (zend_API.c:3804)
==22203==    by 0x5E6B30: zend_register_default_exception (zend_exceptions.c:834)
==22203==    by 0x602C5A: zend_register_default_classes (zend_default_classes.c:32)
==22203==    by 0x5DB523: zm_startup_core (zend_builtin_functions.c:307)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CFE43: zend_declare_property_ex (zend_API.c:3780)
==22203==    by 0x5CFF7D: zend_declare_property (zend_API.c:3793)
==22203==    by 0x5D011E: zend_declare_property_string (zend_API.c:3840)
==22203==    by 0x5E6C7F: zend_register_default_exception (zend_exceptions.c:849)
==22203==    by 0x602C5A: zend_register_default_classes (zend_default_classes.c:32)
==22203==    by 0x5DB523: zm_startup_core (zend_builtin_functions.c:307)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5D025F: zval_make_interned_string (zend_API.c:3697)
==22203==    by 0x5D025F: zend_declare_class_constant_ex (zend_API.c:3869)
==22203==    by 0x5D0435: zend_declare_class_constant (zend_API.c:3905)
==22203==    by 0x5D05A5: zend_declare_class_constant_stringl (zend_API.c:3952)
==22203==    by 0x41F9B4: date_register_classes (php_date.c:2114)
==22203==    by 0x41F9B4: zm_startup_date (php_date.c:877)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CDB35: do_register_internal_class (zend_API.c:2731)
==22203==    by 0x4CDDAC: zm_startup_reflection (php_reflection.c:6636)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CDDF0: zm_startup_reflection (php_reflection.c:6639)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CDFA9: zm_startup_reflection (php_reflection.c:6660)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CE033: zm_startup_reflection (php_reflection.c:6666)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CE211: zm_startup_reflection (php_reflection.c:6687)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CE343: zm_startup_reflection (php_reflection.c:6701)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CE3EE: zm_startup_reflection (php_reflection.c:6708)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CE505: zm_startup_reflection (php_reflection.c:6720)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4CE58F: zm_startup_reflection (php_reflection.c:6726)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F06CA: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F06CA: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F06CA: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F06CA: zend_new_interned_string_permanent (zend_string.c:196)
==22203==    by 0x5CCA8C: zend_register_functions (zend_API.c:2283)
==22203==    by 0x5CDB0F: do_register_internal_class (zend_API.c:2727)
==22203==    by 0x4D1B41: spl_register_std_class (spl_functions.c:44)
==22203==    by 0x4DCCB9: zm_startup_spl_array (spl_array.c:2002)
==22203==    by 0x4D192D: zm_startup_spl (php_spl.c:998)
==22203==    by 0x5CBACB: zend_startup_module_ex (zend_API.c:1878)
==22203==    by 0x5CBEC8: zend_startup_module_zval (zend_API.c:1893)
==22203==    by 0x5D8321: zend_hash_apply (zend_hash.c:1689)
==22203==    by 0x5CBDA2: zend_startup_modules (zend_API.c:2004)
==22203==    by 0x566152: php_module_startup (main.c:2333)
==22203==    by 0x67C1BB: php_cli_startup (php_cli.c:420)
==22203==    by 0x67B112: main (php_cli.c:1356)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F0176: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F0176: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F0176: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F0176: zend_new_interned_string_request (zend_string.c:224)
==22203==    by 0x59F860: zval_make_interned_string (zend_compile.c:473)
==22203==    by 0x59F860: zend_insert_literal (zend_compile.c:485)
==22203==    by 0x59F860: zend_add_literal (zend_compile.c:505)
==22203==    by 0x59F860: zend_emit_op (zend_compile.c:2121)
==22203==    by 0x5A8049: zend_compile_call (zend_compile.c:4042)
==22203==    by 0x5A2E8A: zend_compile_assign (zend_compile.c:2980)
==22203==    by 0x5AB0FE: zend_compile_stmt (zend_compile.c:8309)
==22203==    by 0x5B197C: zend_compile_top_stmt (zend_compile.c:8195)
==22203==    by 0x5B196B: zend_compile_top_stmt (zend_compile.c:8190)
==22203==    by 0x58A637: zend_compile (zend_language_scanner.l:602)
==22203==    by 0x58A505: compile_file (zend_language_scanner.l:636)
==22203==    by 0x5C6975: zend_execute_scripts (zend.c:1562)
==22203==    by 0x567206: php_execute_script (main.c:2630)
==22203==    by 0x67BFB2: do_cli (php_cli.c:997)
==22203==    by 0x67B169: main (php_cli.c:1389)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F0176: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F0176: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F0176: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F0176: zend_new_interned_string_request (zend_string.c:224)
==22203==    by 0x59F860: zval_make_interned_string (zend_compile.c:473)
==22203==    by 0x59F860: zend_insert_literal (zend_compile.c:485)
==22203==    by 0x59F860: zend_add_literal (zend_compile.c:505)
==22203==    by 0x59F860: zend_emit_op (zend_compile.c:2121)
==22203==    by 0x5A8049: zend_compile_call (zend_compile.c:4042)
==22203==    by 0x5AB0FE: zend_compile_stmt (zend_compile.c:8309)
==22203==    by 0x5B197C: zend_compile_top_stmt (zend_compile.c:8195)
==22203==    by 0x5B196B: zend_compile_top_stmt (zend_compile.c:8190)
==22203==    by 0x58A637: zend_compile (zend_language_scanner.l:602)
==22203==    by 0x58A505: compile_file (zend_language_scanner.l:636)
==22203==    by 0x5C6975: zend_execute_scripts (zend.c:1562)
==22203==    by 0x567206: php_execute_script (main.c:2630)
==22203==    by 0x67BFB2: do_cli (php_cli.c:997)
==22203==    by 0x67B169: main (php_cli.c:1389)
==22203== 
==22203== Conditional jump or move depends on uninitialised value(s)
==22203==    at 0x5F021A: zend_string_equal_val (zend_string.c:417)
==22203==    by 0x5F021A: zend_string_equal_content (zend_string.h:310)
==22203==    by 0x5F021A: zend_interned_string_ht_lookup (zend_string.c:156)
==22203==    by 0x5F021A: zend_new_interned_string_request (zend_string.c:230)
==22203==    by 0x5A36D3: zval_make_interned_string (zend_compile.c:473)
==22203==    by 0x5A36D3: zend_try_compile_cv (zend_compile.c:2534)
==22203==    by 0x5A3FCB: zend_compile_simple_var (zend_compile.c:2606)
==22203==    by 0x5A3FCB: zend_compile_var (zend_compile.c:8450)
==22203==    by 0x5A4F96: zend_compile_args (zend_compile.c:3211)
==22203==    by 0x5A5110: zend_compile_call_common (zend_compile.c:3314)
==22203==    by 0x5A806A: zend_compile_call (zend_compile.c:4045)
==22203==    by 0x5AB0FE: zend_compile_stmt (zend_compile.c:8309)
==22203==    by 0x5B197C: zend_compile_top_stmt (zend_compile.c:8195)
==22203==    by 0x5B196B: zend_compile_top_stmt (zend_compile.c:8190)
==22203==    by 0x58A637: zend_compile (zend_language_scanner.l:602)
==22203==    by 0x58A505: compile_file (zend_language_scanner.l:636)
==22203==    by 0x5C6975: zend_execute_scripts (zend.c:1562)
==22203==    by 0x567206: php_execute_script (main.c:2630)
==22203==    by 0x67BFB2: do_cli (php_cli.c:997)
==22203==    by 0x67B169: main (php_cli.c:1389)
==22203== 
==22203== 
==22203== HEAP SUMMARY:
==22203==     in use at exit: 0 bytes in 0 blocks
==22203==   total heap usage: 7,084 allocs, 7,084 frees, 1,591,905 bytes allocated
==22203== 
==22203== All heap blocks were freed -- no leaks are possible
==22203== 
==22203== For counts of detected and suppressed errors, rerun with: -v
==22203== Use --track-origins=yes to see where uninitialised values come from
==22203== ERROR SUMMARY: 169 errors from 21 contexts (suppressed: 0 from 0)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-07 23:50 UTC] stas@php.net
-PHP Version: 7.3.6 +PHP Version: 7.1.30 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: 2019-11040
 [2019-07-07 23:51 UTC] stas@php.net
This patch should fix it:

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 605b37923f..cd7975a9f5 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3498,7 +3498,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
        size_t          length=2, pos=0;
        jpeg_sof_info   sof_info;
 
-       if (!data) {
+       if (!data || ImageInfo->Thumbnail.size < 4) {
                return FALSE; /* nothing to do here */
        }
        if (memcmp(data, "\xFF\xD8\xFF", 3)) {

Could you please verify?
 [2019-07-07 23:52 UTC] stas@php.net
-CVE-ID: 2019-11040 +CVE-ID: 2019-11041
 [2019-07-13 05:32 UTC] orestiskourides at gmail dot com
fixed, no crash, all good ;)
 [2019-07-29 20:21 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-07-29 20:21 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/

Thank you for the report, and for helping us make PHP better.


 [2019-07-30 07:17 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f22101c8308669bb63c03a73a2cac2408d844f38
Log: Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 07:01:27 2024 UTC