Fix GH-20584: Information Leak of Memory

ndossche · ndossche · commit 8fe79305331f · 2025-11-28T18:38:48.000+01:00
The string added had uninitialized memory due to php_read_stream_all_chunks() not moving the buffer position, resulting in the same data always being overwritten instead of new data being added to the end of the buffer. Closes GH-20592.
diff --git a/NEWS b/NEWS
@@ -60,6 +60,7 @@ PHP                                                                        NEWS
   . Fix memory leak in array_diff() with custom type checks. (ndossche)
   . Fixed bug GH-20583 (Stack overflow in http_build_query
     via deep structures). (ndossche)
+  . Fixed bug GH-20584 (Information Leak of Memory). (ndossche)
 
 - Tidy:
   . Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)
diff --git a/ext/standard/image.c b/ext/standard/image.c
@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
 		if (read_now < stream->chunk_size && read_total != length) {
 			return 0;
 		}
+		buffer += read_now;
 	} while (read_total < length);
 
 	return read_total;
diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GH-20584 (Information Leak of Memory)
+--CREDITS--
+Nikita Sveshnikov (Positive Technologies)
+--FILE--
+<?php
+// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
+$file = __DIR__ . '/gh20584.jpg';
+
+// Make APP1 large enough so it is read in multiple chunks
+$chunk = 8192;
+$tail = 123;
+$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
+$tail);
+$app1Len = 2 + strlen($payload);
+
+// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
+$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
+"\x01\x11\x00";
+$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
+"\xFF\xD9";
+file_put_contents($file, $jpeg);
+
+// Read through a filter to enforce multiple reads
+$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
+$info = null;
+@getimagesize($src, $info);
+$exp = $payload;
+$ret = $info['APP1'];
+
+var_dump($ret === $exp);
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh20584.jpg');
+?>
+--EXPECT--
+bool(true)

Original file line number	Diff line number	Diff line change
`@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream stream, char buffer, size_`
`403`	`403`	`if (read_now < stream->chunk_size && read_total != length) {`
`404`	`404`	`return 0;`
`405`	`405`	`}`
	`406`	`+ buffer += read_now;`
`406`	`407`	`} while (read_total < length);`
`407`	`408`
`408`	`409`	`return read_total;`