Edit report at https://bugs.php.net/bug.php?id=62523&edit=1
ID: 62523 User updated by: bigbug at mafia dot lv Reported by: bigbug at mafia dot lv Summary: php crashes with segfault when exif_read_data called Status: Assigned Type: Bug Package: Reproducible crash Operating System: linux PHP Version: 5.3Git-2012-07-10 (snap) Assigned To: rasmus Block user comment: N Private report: N New Comment: Thanks! The patch really works! Previous Comments: ------------------------------------------------------------------------ [2013-05-21 14:20:58] dominic dot benson at thirdlight dot com I encountered a similar issue reading EXIF from a TIFF, the below patch fixes both my original TIFF issue, and the issue with file "1.orig.jpg" linked in the original report for me. Environment: Linux amd64/i686 (Debian 5/6/7, Ubuntu 13.04) PHP version: 5.3.25 SAPI: CLI/FastCGI Required for the JPEG fix is a change from int type for offset_diff in exif_process_IFD_in_MAKERNOTE. I've changed it to size_t, which is semantically correct for Linux, but I think this isn't portable to Win. Essentially, the issue is that values read from the file are treated as offsets, and used to manipulate the offset_base. Patch (agains 5.3.25) follows: diff -rupN php-5.3.25.orig/ext/exif/exif.c php-5.3.25/ext/exif/exif.c --- php-5.3.25.orig/ext/exif/exif.c 2013-05-08 16:58:52.000000000 +0100 +++ php-5.3.25/ext/exif/exif.c 2013-05-21 14:59:59.579438565 +0100 @@ -2745,7 +2745,8 @@ static int exif_process_unicode(image_in static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * value_ptr, int value_len, char *offset_base, size_t IFDlength, size_t displacement TSRMLS_DC) { int de, i=0, section_index = SECTION_MAKERNOTE; - int NumDirEntries, old_motorola_intel, offset_diff; + int NumDirEntries, old_motorola_intel; + size_t offset_diff; const maker_note_type *maker_note; char *dir_start; @@ -2921,6 +2922,12 @@ static int exif_process_IFD_TAG(image_in } } } else { + if (value_ptr<offset_base) { +#ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "EXIF invalid: offset_base (x%016llX) exceed value_ptr (x%016llX)", offset_base, value_ptr); +#endif + return FALSE; + } /* 4 bytes or less and value is in the dir entry itself */ value_ptr = dir_entry+8; offset_val= value_ptr-offset_base; @@ -3724,6 +3731,12 @@ static int exif_process_IFD_in_TIFF(imag exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s done", exif_get_sectionname(sub_section_index)); #endif } else { + if(dir_offset > ImageInfo->file.list[sn].data) { +#ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Skip processing: dir_offset (x%016llX) exceeds data pointer (x%016llX)", ImageInfo->file.list[sn].data, dir_offset); +#endif + return FALSE; + } if (!exif_process_IFD_TAG(ImageInfo, (char*)dir_entry, (char*)(ImageInfo->file.list[sn].data-dir_offset), ifd_size, 0, section_index, 0, tag_table TSRMLS_CC)) { ------------------------------------------------------------------------ [2012-12-12 12:33:03] dessander at gmail dot com Same situation with file: http://dl.dropbox.com/u/7562584/Bugs/Php/bad_exif.jpeg ------------------------------------------------------------------------ [2012-10-30 13:26:09] alex at bartl dot net seeing the same issue on php-5.4.7-10.fc17.x86_64 (Fedora 17) ------------------------------------------------------------------------ [2012-09-14 17:25:50] info at getid3 dot org I am also seeing the same problem on Windows (7-64-pro) running php-5.4.7-nts-Win32-VC9-x86 (and previously same thing on v5.4.4) I have only encountered one of my own files that causes the crash: http://getid3.org/temp/62523.jpg ------------------------------------------------------------------------ [2012-07-11 03:35:59] larue...@php.net Rasmus, could you please look at this one? I have no enough knowledge of the exif things :) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62523 -- Edit this bug report at https://bugs.php.net/bug.php?id=62523&edit=1