php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #78910 Heap-buffer-overflow READ in exif
Submitted: 2019-12-04 12:23 UTC Modified: 2019-12-16 19:01 UTC
From: nikic@php.net Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.2Git-2019-12-04 (Git) OS:
Private report: No CVE-ID: 2019-11047
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2019-12-04 12:23 UTC] nikic@php.net 
Description:
------------
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19044

Valgrind:

==12951== Invalid read of size 1
==12951==    at 0x4C335B8: __strncmp_sse42 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12951==    by 0x533ECF: exif_process_IFD_in_MAKERNOTE (exif.c:3168)
==12951==    by 0x535852: exif_process_IFD_TAG (exif.c:3547)
==12951==    by 0x537787: exif_process_IFD_in_TIFF (exif.c:4219)
==12951==    by 0x537D1B: exif_scan_FILE_header (exif.c:4316)
==12951==    by 0x5385F2: exif_read_from_impl (exif.c:4427)
==12951==    by 0x53866D: exif_read_from_stream (exif.c:4444)
==12951==    by 0x53873A: exif_read_from_file (exif.c:4471)
==12951==    by 0x538FB2: zif_exif_read_data (exif.c:4544)
==12951==    by 0xA7D72F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:621)
==12951==    by 0xB040D0: execute_ex (zend_vm_execute.h:59766)
==12951==    by 0xB094CF: zend_execute (zend_vm_execute.h:63792)
==12951==  Address 0x1088dd5e is 0 bytes after a block of size 30 alloc'd
==12951==    at 0x4C31D2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12951==    by 0x9DE192: __zend_realloc (zend_alloc.c:2851)
==12951==    by 0x9DD53B: _erealloc (zend_alloc.c:2466)
==12951==    by 0x9DD773: _safe_erealloc (zend_alloc.c:2505)
==12951==    by 0x531343: exif_file_sections_realloc (exif.c:2045)
==12951==    by 0x536D3A: exif_process_IFD_in_TIFF (exif.c:4059)
==12951==    by 0x537D1B: exif_scan_FILE_header (exif.c:4316)
==12951==    by 0x5385F2: exif_read_from_impl (exif.c:4427)
==12951==    by 0x53866D: exif_read_from_stream (exif.c:4444)
==12951==    by 0x53873A: exif_read_from_file (exif.c:4471)
==12951==    by 0x538FB2: zif_exif_read_data (exif.c:4544)
==12951==    by 0xA7D72F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:621)
==12951== 

Test script:
---------------
<?php
  
var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-04 12:39 UTC] nikic@php.net 
Proposed patch against PHP-7.2: https://gist.github.com/nikic/df193afd21e8313db5e1b218c3b2205c
 [2019-12-11 09:50 UTC] nikic@php.net 
I've updated the patch to fix a rebase mistake.
 [2019-12-16 08:17 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11047
 [2019-12-16 19:01 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-12-16 19:02 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7
Log: Fixed bug #78910
 [2019-12-16 19:02 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-12-16 19:02 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7
Log: Fixed bug #78910
 [2019-12-17 12:14 UTC] remi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=57325460d2bdee01a13d8e6cf03345c90543ff4f
Log: Fixed bug #78910
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 14:01:31 2024 UTC