Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE.
The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature.
This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further.
(cherry picked from commit aabcb5481d)
Before this patch, exif_process_IFD_in_MAKERNOTE() would return false, then causing the rest of the EXIF parsing to be interrupted. This is a regression from earlier which was most likely a part of a security fix for MAKERNOTE.
The new behavior is to instead of stopping to parse, to continue so we can still fetch data like thumbnail and GPS, thrus allowing yet unsupported formats to parse. If EXIF's debugging mode is enabled, a notice will display in case we do not match against a valid MAKERNOTE signature.
This should temporarily fix bug #72682 (exif_read_data() fails to read all data for some images) until I get around to debug it further.
There are two factors for this bug fix:
- First of all, the maximum nesting level has been increased to 150 (previously 100), I'm not sure how much an impact this will have, but increasing this value also seems to resolve PHP bug #66443 (Corrupt EXIF header: maximum directory nesting level reached for some cameras.)
- Second, this adds support for most common Panasonic EXIF tags, again this list is based off the Exiv2 website
Note about Panasonic's format:
From what I could find, then the offset was always 12 bytes for such, the signature always had the 'P' capitalized, and the rest lower cased, followed by 3 NULL bytes
@Remi, can you review this? I'm gonna look into Sony (which is huge btw!) and your patch next
It seems like there is no maker data for "Samsung", this causes the IDF tag parsing to fail, and it bails early on, despite there still is valid remaining data in image, such as the thumbnail data as reported in the bug.
I used the Exiv2 website as a reference guide for tags that's specific to Samsung's EXIF data, which should also mean that we will be able to name some of those tags more specifically now.
I have chosen again not to commit this to other branches, simply because I'm not 100% sure on the byte order and offsets for Samsung, I did some research and it seems like there are many variants, but this (very copy/pasted), entry works for this particular image and does not break any other tests. This does add a new feature I suppose, while also fixing a bug, but I will leave it to the other branch RMs to decide on how far down they will want to merge this.
This reverts commit 406dff2a02.
This seems to break more than expected and other tests seems to fail:
- bug60150.phpt
- bug62523_2.phpt
- bug72603.phpt
- bug72618.phpt
I'm gonna go do around of thinking and see if I can come up with a better fix
This fix is only committed to master for now. I'm no exif expert on this matter, so someone else might want to take a look over this and merge as wanted in case this will break something.
In exif_process_IFD_in_JPEG() we loop over the tag entries and try to process the IFD tag, this is fine and all, however in case one fail to process correctly, the entire routine is aborted, which means that other possible data, such as the thumbnail data as reported in #72735 may not be read, despite it is there, perfectly valid.
Also, big props to whoever added EXIF_DEBUG, this rocks!
The test images for #72603 and #72618 are broken, that seems to be
the cause of different test output. Seems also to be platform dependent,
so it's not reliable to depend on the exact error output.
* PHP-7.0: (27 commits)
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not allow reading past error read
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
update NEWS
Fixed bug #72570 Segmentation fault when binding parameters on a query without placeholders
Fix bug #72562 - destroy var_hash properly
Fix bug #72551 and bug #72552 - check before converting size_t->int
Fix bug #72541 - size_t overflow lead to heap corruption
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
...
Conflicts:
ext/standard/basic_functions.c
* PHP-5.6:
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
5.6.24RC1
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
Zend/zend_virtual_cwd.c
ext/bz2/bz2.c
ext/exif/exif.c
ext/session/session.c
ext/snmp/snmp.c
ext/standard/basic_functions.c
main/SAPI.c
main/php_variables.c
* PHP-5.5:
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
ext/bz2/bz2.c
main/SAPI.c
main/php_variables.c
Since long the default PHP charset is UTF-8, however the Windows part is
out of step with this important point. The current implementation in PHP
doesn't technically permit to handle UTF-8 filepath and several other
things. Till now, only the ANSI compatible APIs are being used. Here is more
about it
dd317752%28v=vs.85%29.aspx
The patch fixes not only issues with multibyte filenames under
incompatible codepages, but indirectly also issues with some other multibyte
encodings like BIG5, Shift-JIS, etc. by providing a clean way to access
filenames in UTF-8. Below is a small list of issues from the bug tracker,
that are getting fixed:
https://bugs.php.net/63401https://bugs.php.net/41199https://bugs.php.net/50203https://bugs.php.net/71509https://bugs.php.net/64699https://bugs.php.net/64506https://bugs.php.net/30195https://bugs.php.net/65358https://bugs.php.net/61315https://bugs.php.net/70943https://bugs.php.net/70903https://bugs.php.net/63593https://bugs.php.net/54977https://bugs.php.net/54028https://bugs.php.net/43148https://bugs.php.net/30730https://bugs.php.net/33350https://bugs.php.net/35300https://bugs.php.net/46990https://bugs.php.net/61309https://bugs.php.net/69333https://bugs.php.net/45517https://bugs.php.net/70551https://bugs.php.net/50197https://bugs.php.net/72200https://bugs.php.net/37672
Yet more related tickets can for sure be found - on bugs.php.net, Stackoverflow
and Github. Some of the bugs are pretty recent, some descend to early
2000th, but the user comments in there last even till today. Just for example,
bug #30195 was opened in 2004, the latest comment in there was made in 2014. It
is certain, that these bugs descend not only to pure PHP use cases, but get also
redirected from the popular PHP based projects. Given the modern systems (and
those supported by PHP) are always based on NTFS, there is no excuse to keep
these issues unresolved.
The internalization approach on Windows is in many ways different from
UNIX and Linux, while it supports and is based on Unicode. It depends on the
current system code page, APIs used and exact kind how the binary was compiled
The locale doesn't affect the way Unicode or ANSI API work. PHP in particular
is being compiled without _UNICODE defined and this is conditioned by the
way we handle strings. Here is more about it
https://msdn.microsoft.com/en-us/library/tsbaswba.aspx
However, with any system code page ANSI functions automatically convert
paths to UTF-16. Paths in some encodings incompatible with the
current system code page, won't work correctly with ANSI APIs. PHP
till now only uses the ANSI Windows APIs.
For example, on a system with the current code page 1252, the paths
in cp1252 are supported and transparently converted to UTF-16 by the
ANSI functions. Once one wants to handle a filepath encoded with cp932 on
that particular system, an ANSI or a POSIX compatible function used in
PHP will produce an erroneous result. When trying to convert that cp932 path
to UTF-8 and passing to the ANSI functions, an ANSI function would
likely interpret the UTF-8 string as some string in the current code page and
create a filepath that represents every single byte of the UTF-8 string.
These behaviors are not only broken but also disregard the documented
INI settings.
This patch solves the issies with the multibyte paths on Windows by
intelligently enforcing the usage of the Unicode aware APIs. For
functions expect Unicode (fe CreateFileW, FindFirstFileW, etc.), arguments
will be converted to UTF-16 wide chars. For functions returning Unicode
aware data (fe GetCurrentDirectoryW, etc.), resulting wide string is
converted back to char's depending on the current PHP charset settings,
either to the current ANSI codepage (this is the behavior prior to this patch)
or to UTF-8 (the default behavior).
In a particular case, users might have to explicitly set
internal_encoding or default_charset, if filenames in ANSI codepage are
necessary. Current tests show no regressions and witness that this will be an
exotic case, the current default UTF-8 encoding is compatible with any
supported system. The dependency libraries are long switching to Unicode APIs,
so some tests were also added for extensions not directly related to streams.
At large, the patch brings over 150 related tests into the core. Those target
and was run on various environments with European, Asian, etc. codepages.
General PHP frameworks was tested and showed no regressions.
The impact on the current C code base is low, the most places affected
are the Windows only places in the three files tsrm_win32.c, zend_virtual_cwd.c
and plain_wrapper.c. The actual implementation of the most of the wide
char supporting functionality is in win32/ioutil.* and win32/codepage.*,
several low level functionsare extended in place to avoid reimplementation for
now. No performance impact was sighted. As previously mentioned, the ANSI APIs
used prior the patch perform Unicode conversions internally. Using the
Unicode APIs directly while doing custom conversions just retains the status
quo. The ways to optimize it are open (fe. by implementing caching for the
strings converted to wide variants).
The long path implementation is user transparent. If a path exceeds the
length of _MAX_PATH, it'll be automatically prefixed with \\?\. The MAXPATHLEN
is set to 2048 bytes.
Appreciation to Pierre Joye, Matt Ficken, @algo13 and others for tips, ideas
and testing.
Thanks.
When the location of the data is outside of the range we have
preloaded (for example, if it's before the beginning of the IFD
structure), we have to read it from the stream into a separate buffer.
The offset calculations in this case were incorrect, resulting in
bogus values being read for the affected fields (sometimes parts of
other fields, sometimes binary data).
The included test image, sourced from [1], is in the public domain.
[1] https://commons.wikimedia.org/wiki/File:U.S._Marines_Prepare_to_board_an_MV-22_Osprey_160509-M-AF202-041.jpg
These are either in debug code (fix them), commented out (drop
them) or in dead compatibility macros (drop them).
One usage was in php_stream_get_from_zval(), which we have not used
since at least PHP 5.2 and, judging from the fact that nobody
complained about it causing compile errors in PHP 7, nobody else
uses it either, so drop it.
There are still remaining uses in mysqli embedded and odbc birdstep.
These probably need to be dropped outright.
* PHP-5.6: (21 commits)
fix unit tests
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix bug ##70284 (Use after free vulnerability in unserialize() with GMP)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
...
Conflicts:
ext/exif/exif.c
ext/gmp/gmp.c
ext/pcre/php_pcre.c
ext/session/session.c
ext/session/tests/session_decode_variation3.phpt
ext/soap/soap.c
ext/spl/spl_observer.c
ext/standard/var.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/xsl/xsltprocessor.c
* PHP-5.5:
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
5.4.45 next
Conflicts:
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/zip/php_zip.c
* PHP-5.4:
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
5.4.45 next
Conflicts:
configure.in
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
main/php_version.h
* PHP-5.4.45:
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Conflicts:
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
* PHP-5.6:
5.4.38 next
Updated NEWS
Updated NEWS
Fix bug #68711 Remove useless checks. 'num' is unsigned and cannot be <0.
Fix bug #68799: Free called on unitialized pointer
Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())
Conflicts:
ext/exif/exif.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
* PHP-5.5:
5.4.38 next
Fix bug #68799: Free called on unitialized pointer
Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())
Conflicts:
ext/standard/var_unserializer.c
* PHP-5.4:
5.4.38 next
Fix bug #68799: Free called on unitialized pointer
Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())
Conflicts:
configure.in
main/php_version.h
