Skip to content
Permalink
Browse files

exif_process_APP12: Fix length calculation for second tag to prevent …

…information leak

Summary:
buffer + 2+l1+1 points to the second tag. The maximum length of the buffer is length. Hence, the max length of the tag is length - (2+l1+1). Instead, the length passed is length - 2 - l1 + 1 which leads to a 2 byte overflow. If the last character of buffer is not null, this would lead to an out of bounds read of size 2.

Fixes CVE-2019-11925

Reviewed By: fredemmott

Differential Revision: D16930333

fbshipit-source-id: aad9cccaef3c678abc53bfd549aff6b582082a90
  • Loading branch information...
DhavalKapil authored and hhvm-bot committed Sep 4, 2019
1 parent f9680d2 commit f1cd34e63c2a0d9702be3d41462db7bfd0ae7da3
@@ -6964,7 +6964,7 @@ static void exif_process_APP12(image_info_type *ImageInfo,
exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company",
TAG_NONE, TAG_FMT_STRING, l1, buffer+2);
if (length > 2+l1+1) {
l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1);
l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info",
TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);
}
@@ -0,0 +1,8 @@
<?hh

<<__EntryPoint>>
function main_exifreaddata() {
$jpeg = "\xff\xd8\xec\x00\x05\x58\x00\x17";
$data_stream = "data://text/plain;base64," . base64_encode($jpeg);
var_dump(exif_read_data($data_stream));
}
@@ -0,0 +1,4 @@
Warning: File structure corrupted in %s/ext_gd/exifreaddata_APP12.php on line 7

Warning: Invalid JPEG file in %s/ext_gd/exifreaddata_APP12.php on line 7
bool(false)

0 comments on commit f1cd34e

Please sign in to comment.
You can’t perform that action at this time.