Skip to content
Permalink
Browse files Browse the repository at this point in the history
exif_process_APP12: Fix length calculation for second tag to prevent …
…information leak

Summary:
buffer + 2+l1+1 points to the second tag. The maximum length of the buffer is length. Hence, the max length of the tag is length - (2+l1+1). Instead, the length passed is length - 2 - l1 + 1 which leads to a 2 byte overflow. If the last character of buffer is not null, this would lead to an out of bounds read of size 2.

Fixes CVE-2019-11925

Reviewed By: fredemmott

Differential Revision: D16930333

fbshipit-source-id: aad9cccaef3c678abc53bfd549aff6b582082a90
  • Loading branch information
DhavalKapil authored and hhvm-bot committed Sep 4, 2019
1 parent f9680d2 commit f1cd34e
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
2 changes: 1 addition & 1 deletion hphp/runtime/ext/gd/ext_gd.cpp
Expand Up @@ -6964,7 +6964,7 @@ static void exif_process_APP12(image_info_type *ImageInfo,
exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company",
TAG_NONE, TAG_FMT_STRING, l1, buffer+2);
if (length > 2+l1+1) {
l2 = php_strnlen(buffer+2+l1+1, length-2-l1+1);
l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info",
TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);
}
Expand Down
8 changes: 8 additions & 0 deletions hphp/test/slow/ext_gd/exifreaddata_APP12.php
@@ -0,0 +1,8 @@
<?hh

<<__EntryPoint>>
function main_exifreaddata() {
$jpeg = "\xff\xd8\xec\x00\x05\x58\x00\x17";
$data_stream = "data://text/plain;base64," . base64_encode($jpeg);
var_dump(exif_read_data($data_stream));
}
4 changes: 4 additions & 0 deletions hphp/test/slow/ext_gd/exifreaddata_APP12.php.expectf
@@ -0,0 +1,4 @@
Warning: File structure corrupted in %s/ext_gd/exifreaddata_APP12.php on line 7

Warning: Invalid JPEG file in %s/ext_gd/exifreaddata_APP12.php on line 7
bool(false)

0 comments on commit f1cd34e

Please sign in to comment.