ID: 48378 Updated by: il...@php.net Reported By: phpbug dot exif at sub dot noloop dot net -Status: Open +Status: Feedback Bug Type: EXIF related Operating System: Linux PHP Version: 5.2CVS-2009-05-24 (snap) New Comment:
I am getting the following error messages, but no crash: Warning: exif_read_data(hello-s148.jpeg): Illegal IFD size: x40000B + 2 + x0000*12 = x40000B > x007E in exif.php on line 2 Warning: exif_read_data(hello-s148.jpeg): Error reading from file: got=x08B4(=2228) != itemlen-2=x1FFE(=8190) in exif.php on line 2 Warning: exif_read_data(hello-s148.jpeg): Invalid JPEG file in exif.php on line 2 Previous Comments: ------------------------------------------------------------------------ [2009-05-24 20:58:14] phpbug dot exif at sub dot noloop dot net Description: ------------ There seems to be a problem in exif_read_data(), where some fields representing offsets(?) are taken directly from the file without being validated, resulting in a segmentation fault. I originally found this issue by fooling around with the "zzuf" fuzzer, and reported a very similar bug in the "jhead" exif utility at http://bugs.debian.org/530401 Original image can be found at: http://www.noloop.net/bugs/php/001-exif/hello.jpeg Corrupted image can be found at: http://www.noloop.net/bugs/php/001-exif/hello-s148.jpeg Reproduce code: --------------- <?php var_dump(exif_read_data($_SERVER['argv'][1], array("FILE", "COMPUTED", "ANY_TAG") )); Expected result: ---------------- Dump of exif data if possible, or FALSE (since the jpeg file is indeed corrupt) Actual result: -------------- Segmentation fault. Quick GDB dump: (gdb) run Starting program: /home/frode/temp/z/z3/php5.2-200905241830/sapi/cli/php /home/frode/temp/z/s.php /home/frode/temp/z/a-s6.jpeg Program received signal SIGSEGV, Segmentation fault. 0x0808bcd3 in exif_process_IFD_in_JPEG (ImageInfo=0xbfc893b8, dir_start=0x92f76c0 <Address 0x92f76c0 out of bounds>, offset_base=0x8ef76b8 "II*", IFDlength=15055, displacement=30, section_index=3) at /home/frode/temp/z/z3/php5.2-200905241830/ext/exif/exif.c:1088 1088 return (((uchar *)value)[1] << 8) | ((uchar *)value)[0]; (gdb) up #1 0x0808e6ca in exif_read_file (ImageInfo=0xbfc893b8, FileName=<value optimized out>, read_thumbnail=<value optimized out>, read_all=0) at /home/frode/temp/z/z3/php5.2-200905241830/ext/exif/exif.c:3221 3221 exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd, CharBuf, length/*-14*/, displacement, SECTION_IFD0 TSRMLS_CC); Note the "dir_start" address being out of bounds, which causes the "((uchar *)value)[1]" to segfault. (The function names are a bit confusing, maybe it's because of method inlining?) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48378&edit=1
![#48378 [Opn->Fbk]: exif_read_data() segfaults on certain corrupted .jpeg files](/search?l=php-bugs@lists.php.net&q=subject:%22%2348378+%5C%5BOpn%5C-%3EFbk%5C%5D%5C%3A+exif_read_data%5C%28%5C%29+segfaults+on+certain+corrupted+.jpeg+files%22&o=newest){kind=link}
