Home / os / solaris

PHP 5.5.34 out of bounds heap read access in exif header processing

Posted on 30 November -0001

<HTML><HEAD><TITLE>PHP 5.5.34 out of bounds heap read access in exif header processing</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ A malformed input to the function exif_read_data() can cause an out of bounds heap memory read access. This was found with american fuzzy lop. To test run the test script on the attached file with PHP compiled with address sanitizer (-fsanitize=address in CFLAGS) and USE_ZEND_ALLOC=0. ==29327==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000aadf at pc 0x000000e9c33d bp 0x7fff5e16fc70 sp 0x7fff5e16fc68 READ of size 1 at 0x60200000aadf thread T0 #0 0xe9c33c in php_ifd_get32s /f/php/php-7.0.5/ext/exif/exif.c:1102:12 #1 0xe9c33c in php_ifd_get32u /f/php/php-7.0.5/ext/exif/exif.c:1114 #2 0xe9c33c in exif_process_TIFF_in_JPEG /f/php/php-7.0.5/ext/exif/exif.c:3191 #3 0xe9c33c in exif_process_APP1 /f/php/php-7.0.5/ext/exif/exif.c:3228 #4 0xe9c33c in exif_scan_JPEG_header /f/php/php-7.0.5/ext/exif/exif.c:3373 #5 0xe9c33c in exif_scan_FILE_header /f/php/php-7.0.5/ext/exif/exif.c:3755 #6 0xe9c33c in exif_read_file /f/php/php-7.0.5/ext/exif/exif.c:3897 #7 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8 #8 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2 #9 0x18a5205 in execute_ex /f/php/php-7.0.5/Zend/zend_vm_execute.h:417:7 #10 0x18a614b in zend_execute /f/php/php-7.0.5/Zend/zend_vm_execute.h:458:2 #11 0x170c15d in zend_execute_scripts /f/php/php-7.0.5/Zend/zend.c:1427:4 #12 0x14d438b in php_execute_script /f/php/php-7.0.5/main/main.c:2487:14 #13 0x1ae9ed3 in do_cli /f/php/php-7.0.5/sapi/cli/php_cli.c:974:5 #14 0x1ae6e64 in main /f/php/php-7.0.5/sapi/cli/php_cli.c:1344:18 #15 0x7f7fecf1578f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289 #16 0x462198 in _start (/mnt/ram/php/php+0x462198) 0x60200000aadf is located 0 bytes to the right of 15-byte region [0x60200000aad0,0x60200000aadf) allocated by thread T0 here: #0 0x50a008 in malloc (/mnt/ram/php/php+0x50a008) #1 0x1614bc2 in _emalloc /f/php/php-7.0.5/Zend/zend_alloc.c:2446:11 #2 0xe91d1d in zif_exif_read_data /f/php/php-7.0.5/ext/exif/exif.c:3950:8 #3 0x1a2b071 in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.5/Zend/zend_vm_execute.h:586:2 Test script: --------------- <?php /* Needs specific malformed JPG file */ print_r(exif_read_data($argv[1])); </BODY></HTML>

 

TOP