oss-sec mailing list archives

Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption

From: Stanislav Malyshev <smalyshev () gmail com>
Date: Tue, 19 May 2015 11:19:34 -0700

Hi!

http://phpcrossref.com/xref/jpegmeta/EXIF.php.html,
https://code.google.com/p/zimbra-api-php/,
http://phpcrossref.com/xref/jpegmeta/XML.php.html) it is really likely
that it would end up processed by one of these functions (string
concatenation, for example).

$makernote <http://phpcrossref.com/xref/jpegmeta/_variables/makernote.html> .= str_repeat 
<http://phpcrossref.com/xref/jpegmeta/_functions/str_repeat.html>("\x00",( $tiff_data 
<http://phpcrossref.com/xref/jpegmeta/_variables/tiff_data.html>[ 'Makernote_Tag' ][ 'Offset' ] - 8 ) );


OK, I guess with parsing external formats like EXIF it can happen, so
while I'm still not sure about remote exploitation, remote triggering is
a possibility, you've convinced me here.
-- 
Stas Malyshev
smalyshev () gmail com

Current thread:

CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)
  - Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
    - Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)
    - Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 19)
    - Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 19)
    - Re: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Dennis (May 19)