php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78910 Heap-buffer-overflow READ in exif
Submitted: 2019-12-04 12:23 UTC Modified: 2019-12-16 19:01 UTC
From: nikic@php.net Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.2Git-2019-12-04 (Git) OS:
Private report: No CVE-ID: 2019-11047
 [2019-12-04 12:23 UTC] nikic@php.net
Description:
------------
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19044

Valgrind:

==12951== Invalid read of size 1
==12951==    at 0x4C335B8: __strncmp_sse42 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12951==    by 0x533ECF: exif_process_IFD_in_MAKERNOTE (exif.c:3168)
==12951==    by 0x535852: exif_process_IFD_TAG (exif.c:3547)
==12951==    by 0x537787: exif_process_IFD_in_TIFF (exif.c:4219)
==12951==    by 0x537D1B: exif_scan_FILE_header (exif.c:4316)
==12951==    by 0x5385F2: exif_read_from_impl (exif.c:4427)
==12951==    by 0x53866D: exif_read_from_stream (exif.c:4444)
==12951==    by 0x53873A: exif_read_from_file (exif.c:4471)
==12951==    by 0x538FB2: zif_exif_read_data (exif.c:4544)
==12951==    by 0xA7D72F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:621)
==12951==    by 0xB040D0: execute_ex (zend_vm_execute.h:59766)
==12951==    by 0xB094CF: zend_execute (zend_vm_execute.h:63792)
==12951==  Address 0x1088dd5e is 0 bytes after a block of size 30 alloc'd
==12951==    at 0x4C31D2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12951==    by 0x9DE192: __zend_realloc (zend_alloc.c:2851)
==12951==    by 0x9DD53B: _erealloc (zend_alloc.c:2466)
==12951==    by 0x9DD773: _safe_erealloc (zend_alloc.c:2505)
==12951==    by 0x531343: exif_file_sections_realloc (exif.c:2045)
==12951==    by 0x536D3A: exif_process_IFD_in_TIFF (exif.c:4059)
==12951==    by 0x537D1B: exif_scan_FILE_header (exif.c:4316)
==12951==    by 0x5385F2: exif_read_from_impl (exif.c:4427)
==12951==    by 0x53866D: exif_read_from_stream (exif.c:4444)
==12951==    by 0x53873A: exif_read_from_file (exif.c:4471)
==12951==    by 0x538FB2: zif_exif_read_data (exif.c:4544)
==12951==    by 0xA7D72F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:621)
==12951== 

Test script:
---------------
<?php
  
var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-04 12:39 UTC] nikic@php.net
Proposed patch against PHP-7.2: https://gist.github.com/nikic/df193afd21e8313db5e1b218c3b2205c
 [2019-12-11 09:50 UTC] nikic@php.net
I've updated the patch to fix a rebase mistake.
 [2019-12-16 08:17 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11047
 [2019-12-16 19:01 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7
Log: Fixed bug #78910
 [2019-12-16 19:02 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7
Log: Fixed bug #78910
 [2019-12-17 12:14 UTC] remi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=57325460d2bdee01a13d8e6cf03345c90543ff4f
Log: Fixed bug #78910
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Apr 04 21:01:23 2020 UTC