PHP :: Bug #67250 :: iptcparse out-of-bounds read

[2014-05-12 01:51 UTC] stas@php.net

Description:
------------
The code in iptcparse has insufficient bounds checking and can read past the end of the string. 

Test script:
---------------
iptcparse("\x1C\x02_\x80___");


Expected result:
----------------
no memory errors

Actual result:
--------------
==18573== Conditional jump or move depends on uninitialised value(s)
==18573==    at 0x787A2F: zif_iptcparse (iptc.c:340)
==18573==    by 0x8FA5E2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==18573==    by 0x8EBE7F: execute_ex (zend_vm_execute.h:363)
==18573==    by 0x86A089: zend_eval_stringl (zend_execute_API.c:1187)
==18573==    by 0x86A168: zend_eval_stringl_ex (zend_execute_API.c:1234)
==18573==    by 0x928472: do_cli (php_cli.c:1034)
==18573==    by 0x928EB7: main (php_cli.c:1378)
==18573== 
==18573== Conditional jump or move depends on uninitialised value(s)
==18573==    at 0x787A33: zif_iptcparse (iptc.c:340)
==18573==    by 0x8FA5E2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==18573==    by 0x8EBE7F: execute_ex (zend_vm_execute.h:363)
==18573==    by 0x86A089: zend_eval_stringl (zend_execute_API.c:1187)
==18573==    by 0x86A168: zend_eval_stringl_ex (zend_execute_API.c:1234)
==18573==    by 0x928472: do_cli (php_cli.c:1034)
==18573==    by 0x928EB7: main (php_cli.c:1378)

[2014-05-14 00:16 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2014-05-14 00:16 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2014-05-14 00:18 UTC] stas@php.net

-Type: Security +Type: Bug