php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78333 Exif crash (bus error) due to wrong alignment and invalid cast
Submitted: 2019-07-24 21:36 UTC Modified: -
From: rainer dot jung at kippdata dot de Assigned:
Status: Closed Package: EXIF related
PHP Version: 7.4.0alpha3 OS: Solaris 10 Sparc
Private report: No CVE-ID: None
 [2019-07-24 21:36 UTC] rainer dot jung at kippdata dot de
Description:
------------
PHP Version: 7.4.0beta1 (not available in version dropdown)

Crash during execution of the test ext/exif/tests/bug77831.php.

Crash happens as Bus Error due to dereferencing a 2 byte aligned address for a float. Sparc is sensitive to wrong alignments.

Stack:

(gdb) bt full
#0  0xfdb659ec in exif_iif_add_value (image_info=0xffbfc728, section_index=3, name=<optimized out>, tag=<optimized out>, format=11, length=1, value=<optimized out>,
    value_len=<optimized out>, motorola_intel=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2165
        idex = 0
        vptr = 0xfe6561da
        vptr_end = 0xfe6561de
        info_value = 0xfe656208
        info_data = 0xfe6561f8
        list = <optimized out>
#1  0xfdb66b3c in exif_iif_add_tag (value_len=4, value=0xfe6561da, length=4, format=<optimized out>, tag=8224, name=<optimized out>, section_index=3, image_info=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2186
No locals.
#2  exif_process_IFD_TAG (ImageInfo=0xffbfc728, dir_entry=<optimized out>, offset_base=<optimized out>, IFDlength=<optimized out>, displacement=<optimized out>,
    section_index=3, ReadNextIFD=<optimized out>, tag_table=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3486
        length = 38
        tag = 8224
        format = <optimized out>
        components = 4
        value_ptr = 0xfe6561da "    "
        tagname = "UndefinedTag:0x2020", '\000' <repeats 17 times>, "▒\004\024\070▒\210\220▒g\200\061\000\000\000\000\000\000\000 \000\000\000\004\000\000\000\003"
        cbuf = "*\000\000\000\f    \000\002    \000\000\000 \000\000\000\003  \000\v\000\000\000\001 "
        outside = 0x0
        byte_count = 4
        offset_val = <optimized out>
        fpos = <optimized out>
        fgot = <optimized out>
        tmp_xp = <optimized out>
#3  0xfdb663a0 in exif_process_IFD_in_JPEG (ImageInfo=0xffbfc728, dir_start=0xfe6561c4 "", offset_base=0xfe6561b8 "MM", IFDlength=38, displacement=11, section_index=3,
    tag=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2885
        de = 1
        NumDirEntries = 2
        NextDirOffset = 0
#4  0xfdb68958 in exif_process_TIFF_in_JPEG (displacement=<optimized out>, length=38, CharBuf=0xfe6561b8 "MM", ImageInfo=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3608
        exif_value_2a = 42
        offset_of_ifd = <optimized out>
#5  exif_process_APP1 (displacement=<optimized out>, length=46, CharBuf=0xfe6561b0 "", ImageInfo=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3633
        ExifHeader = "Exif\000"
#6  exif_scan_JPEG_header (ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3778
        comment_correction = 1
        ll = <optimized out>
        size = <optimized out>
        Data = 0xfe6561b0 ""
        fpos = <optimized out>
        got = <optimized out>
        itemlen = 46
        sn = <optimized out>
        marker = 225
        last_marker = <optimized out>
        lh = <optimized out>
#7  exif_scan_FILE_header (ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4173
        file_header = "▒ؾ\"\017▒-\230"
        ret = 0
#8  exif_read_from_impl (read_all=0, read_thumbnail=<optimized out>, stream=0xfe668200, ImageInfo=0xffbfc728)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4314
        st = {st_dev = 22282550, st_pad1 = {0, 0, 0}, st_ino = 37266735, st_mode = 33188, st_nlink = 1, st_uid = 1200, st_gid = 1200, st_rdev = 0, st_pad2 = {0, 0},
          st_size = 49, st_pad3 = 0, st_atim = {tv_sec = 1563992732, tv_nsec = 821345000}, st_mtim = {tv_sec = 1563869118, tv_nsec = 0}, st_ctim = {tv_sec = 1563992732,
            tv_nsec = 821810000}, st_blksize = 8192, st_blocks = 2, st_fstype = "lofs", '\000' <repeats 11 times>, st_pad4 = {0, 0, 0, 0, 0, 0, 0, 0}}
#9  exif_read_from_stream (ImageInfo=0xffbfc728, stream=0xfe668200, read_thumbnail=<optimized out>, read_all=0)
    at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4331
        ret = <optimized out>
        old_pos = 0
#10 0xfdb68e10 in exif_read_from_file (ImageInfo=0xffbfc728, FileName=0xfe65b5c0 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.tiff",
    read_thumbnail=0, read_all=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4358
        ret = <optimized out>
        stream = 0xfe668200
#11 0xfdb692f4 in zif_exif_read_data (execute_data=0xfe6140a0, return_value=0xfe614040) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4433
        z_sections_needed = 0x0
        sub_arrays = 0 '\000'
        read_thumbnail = 0 '\000'
        stream = 0xfe6140d0
        i = <optimized out>
        ret = <optimized out>
        sections_needed = 0
        ImageInfo = {infile = 0xfe668200, FileName = 0xfe677040 "bug77831.tiff", FileDateTime = 1563869118, FileSize = 49, FileType = IMAGE_FILETYPE_JPEG, Height = 0,
          Width = 0, IsColor = 0, make = 0x0, model = 0x0, ApertureFNumber = 0, ExposureTime = 0, FocalplaneUnits = 0, CCDWidth = 0, FocalplaneXRes = 0, ExifImageWidth = 0,
          FocalLength = 0, Distance = 0, motorola_intel = 1, UserComment = 0x0, UserCommentLength = 0, UserCommentEncoding = 0x0, encode_unicode = 0xfe677050 "ISO-8859-15",
          decode_unicode_be = 0xfe602010 "UCS-2BE", decode_unicode_le = 0xfe602018 "UCS-2LE", encode_jis = 0xfe602020 "", decode_jis_be = 0xfe602028 "JIS",
          decode_jis_le = 0xfe602030 "JIS", Copyright = 0x0, CopyrightPhotographer = 0x0, CopyrightEditor = 0x0, xp_fields = {count = 0, list = 0x0}, Thumbnail = {
            filetype = IMAGE_FILETYPE_UNKNOWN, width = 0, height = 0, size = 0, offset = 0, data = 0x0}, sections_found = 12, info_list = {{count = 0, list = 0x0}, {count = 0,
              list = 0x0}, {count = 0, list = 0x0}, {count = 1, list = 0xfe6561e0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0,
              list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0,
              list = 0x0}}, read_thumbnail = 0, read_all = 0, ifd_nesting_level = 2, file = {count = 1, list = 0xfe677060}}
        tmp = "\000\000\000\005\000\000\000\000\000\000\002\002▒?B▒\000\001\000\000\000\000\000\000\000\000\000\000▒\v\022|\000\000\000\002▒▒▒H\000\000\000\000▒gP▒▒\v=\f▒▒▒l▒▒ǰ▒▒\206$"
        sections_str = 0x0
        s = <optimized out>
#12 0xfeeb28e8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (execute_data=0xfe614010) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:1319
        opline = 0xfe65c214
        call = 0xfe6140a0
        fbc = <optimized out>
        ret = <optimized out>
#13 0xfeeb0c58 in execute_ex (ex=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:53103
        ret = <optimized out>
        execute_data = 0xfe614010
#14 0xfef0aa28 in zend_execute (op_array=0xfe6750a0, return_value=0x0) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:57388
        execute_data = 0xfe614010
        object_or_called_scope = <optimized out>
        call_info = <optimized out>
#15 0xfee6953c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend.c:1663
        files = 0xffbfca40
        i = 1
        file_handle = 0xffbfd094
        op_array = 0xfe6750a0
#16 0xfedfdeb0 in php_execute_script (primary_file=0xffbfd094) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/main/main.c:2633
        realfile = "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php\000\214\000\000\000\005▒▒▒\000\000\000]▒\004\023▒▒e`\000\000\000\000$-
▒▒\234▒\000\000\000\000\000\000\000\001\000\000\000\001▒9\017\220▒▒WR▒?\f▒▒?s▒\n▒*\t\000\000\005(\000\000\000\000\000\000\000\000▒?\f▒▒?s▒", '\000' <repeats 32 times>...
        __orig_bailout = <optimized out>
        __bailout = {2, -4208152, -18883256, -4206776, 83200, 0, 0, 0, 0, 0, 0, 0, 232296, -16390196, 152, 600, -12582912, 8388608, 0}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0,
          type = ZEND_HANDLE_FILENAME, buf = 0x0, len = 0}
        append_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0,
          type = ZEND_HANDLE_FILENAME, buf = 0x0, len = 0}
        old_cwd_fd = -1
        retval = 0
#17 0x00014508 in do_cli (argc=<optimized out>, argv=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/sapi/cli/php_cli.c:963
        __orig_bailout = <optimized out>
        __bailout = {2, -4206776, 78836, -4205208, 123884, 0, 101795963, 1949, -13034128, 1026, 9, -13037680, -24543363, -13037680, -12618832, 171156496, -12582912, 8388608, 0}
        c = <optimized out>
        file_handle = {handle = {fp = 0xfe9b554c <_iob+48>, stream = {handle = 0xfe9b554c <_iob+48>, isatty = 0, reader = 0xfee86840 <zend_stream_stdio_reader>,
              fsizer = 0xfee86910 <zend_stream_stdio_fsizer>, closer = 0xfee867f4 <zend_stream_stdio_closer>}},
          filename = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php", opened_path = 0x0, type = ZEND_HANDLE_STREAM,
          buf = 0xfe65b460 "▒e▒@p\nvar_dump(exif_read_data(__DIR__.\"/bug77831.tiff\"));\n?>\nDONE\n", len = 66}
        behavior = <optimized out>
        reflection_what = <optimized out>
        request_started = 1
        exit_status = 0
        php_optarg = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php"
        php_optind = 152
        exec_direct = <optimized out>
        exec_run = <optimized out>
        exec_begin = <optimized out>
        exec_end = <optimized out>
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = 0x2084a0 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php"
        interactive = <optimized out>
        param_error = <optimized out>
        hide_argv = <optimized out>
#18 0x0001e3f4 in main (argc=<optimized out>, argv=0x3ecf8) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/sapi/cli/php_cli.c:1353
        __orig_bailout = 0x0
        __bailout = {2, -4205208, 123328, -4204984, 76588, 0, 0, 0, 0, 0, 0, 3, -4204884, 4, -4204272, 5, -12582912, 8388608, 0}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php"
        php_optind = 152
        use_extended_info = 0
        ini_path_override = 0x3fd78 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/tmp-php.ini"
        ini_entries = 0x40578 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\noutput_handler=\nopen_basedir=\ndisable_functions=\noutput_buffering=Off\nerror_reporting=3276"...
        ini_entries_len = 1582
        ini_ignore = 1


The relevant code line is

2165                                                 info_value->f = *(float *)value;

and value points at address 0xfe6561da. This adress is only 2-byte aligned and can not be dereferenced as a float.

Regards,
Rainer


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-28 18:52 UTC] rainer dot jung at kippdata dot de
I should say, that the problem is not new to 7.4. I t goes back at least to 7.2, probably even older.
 [2019-07-29 09:26 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d142dfc93d71bb387c19a06f77c265e89fc9d516
Log: Fixed bug #78333
 [2019-07-29 09:26 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2019-07-29 09:28 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68fd435ba81e0208d30218b0558cccbf76b85e49
Log: Fixed bug #78333
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 15 04:01:23 2019 UTC