From: phpbug dot exif at sub dot noloop dot net Operating system: Linux PHP version: 5.2CVS-2009-05-24 (snap) PHP Bug Type: EXIF related Bug description: exif_read_data() segfaults on certain corrupted .jpeg files
Description: ------------ There seems to be a problem in exif_read_data(), where some fields representing offsets(?) are taken directly from the file without being validated, resulting in a segmentation fault. I originally found this issue by fooling around with the "zzuf" fuzzer, and reported a very similar bug in the "jhead" exif utility at http://bugs.debian.org/530401 Original image can be found at: http://www.noloop.net/bugs/php/001-exif/hello.jpeg Corrupted image can be found at: http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg Reproduce code: --------------- <?php var_dump(exif_read_data($_SERVER['argv'][1], array("FILE", "COMPUTED", "ANY_TAG") )); Expected result: ---------------- Dump of exif data if possible, or FALSE (since the jpeg file is indeed corrupt) Actual result: -------------- Segmentation fault. Quick GDB dump: (gdb) run Starting program: /home/frode/temp/z/z3/php5.2-200905241830/sapi/cli/php /home/frode/temp/z/s.php /home/frode/temp/z/a-s6.jpeg Program received signal SIGSEGV, Segmentation fault. 0x0808bcd3 in exif_process_IFD_in_JPEG (ImageInfo=0xbfc893b8, dir_start=0x92f76c0 <Address 0x92f76c0 out of bounds>, offset_base=0x8ef76b8 "II*", IFDlength=15055, displacement=30, section_index=3) at /home/frode/temp/z/z3/php5.2-200905241830/ext/exif/exif.c:1088 1088 return (((uchar *)value)[1] << 8) | ((uchar *)value)[0]; (gdb) up #1 0x0808e6ca in exif_read_file (ImageInfo=0xbfc893b8, FileName=<value optimized out>, read_thumbnail=<value optimized out>, read_all=0) at /home/frode/temp/z/z3/php5.2-200905241830/ext/exif/exif.c:3221 3221 exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd, CharBuf, length/*-14*/, displacement, SECTION_IFD0 TSRMLS_CC); Note the "dir_start" address being out of bounds, which causes the "((uchar *)value)[1]" to segfault. (The function names are a bit confusing, maybe it's because of method inlining?) -- Edit bug report at http://bugs.php.net/?id=48378&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=48378&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=48378&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=48378&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=48378&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=48378&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=48378&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=48378&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=48378&r=needscript Try newer version: http://bugs.php.net/fix.php?id=48378&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=48378&r=support Expected behavior: http://bugs.php.net/fix.php?id=48378&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=48378&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=48378&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=48378&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48378&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=48378&r=dst IIS Stability: http://bugs.php.net/fix.php?id=48378&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=48378&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=48378&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=48378&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=48378&r=mysqlcfg