php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79046 NaN to int cast undefined behavior in exif
Submitted: 2019-12-30 03:37 UTC Modified: 2019-12-30 15:29 UTC
From: wxhusst at gmail dot com Assigned:
Status: Closed Package: EXIF related
PHP Version: 7.4.1 OS: linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wxhusst at gmail dot com
New email:
PHP Version: OS:

 

 [2019-12-30 03:37 UTC] wxhusst at gmail dot com
Description:
------------
exif_read_data may lead to integer overflow

raven@ubuntu ~/p/s/cli (master)> 
./php -r 'exif_read_data("/home/raven/php-src/crash-7cd841466926b2ce76d75b379568282a0fc8914b", "IFD0");'
/home/raven/php-src/ext/exif/exif.c:1677:10: runtime error: nan is outside the range of representable values of type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/raven/php-src/ext/exif/exif.c:1677:10 in

sorry,  no backtrace for gdb

the file 
https://github.com/loveraven42/poc/blob/master/crash-7cd841466926b2ce76d75b379568282a0fc8914b

Test script:
---------------
./php -r 'exif_read_data("/home/raven/php-src/crash-7cd841466926b2ce76d75b379568282a0fc8914b", "IFD0");


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-30 15:29 UTC] nikic@php.net
-Summary: UndefinedBehaviorSanitizer: undefined-behavior +Summary: NaN to int cast undefined behavior in exif -Status: Open +Status: Verified -Type: Security +Type: Bug
 [2019-12-30 15:29 UTC] nikic@php.net
This was partially addressed in https://github.com/php/php-src/commit/dd997a40d0be9b03973b1317041f92ad9582237f, but the NaN case wasn't handled.

Reclassifying as normal bug as this UBSan violation does not result in an actual miscompile.
 [2019-12-30 16:24 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1537e506edb48790c72a93e1d8505ef2c3e4dd3
Log: Fixed bug #79046
 [2019-12-30 16:24 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 08:01:27 2024 UTC