OSV-2022-57 Heap-buffer-overflow in _estrdup

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43736 Crash type: Heap-buffer-overflow READ 15 Crash state: estrdup exifprocessusercomment exifprocessIFDTAGimpl...

OSV-2022-32 Heap-buffer-overflow in _estrdup

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43484 Crash type: Heap-buffer-overflow READ 11 Crash state: estrdup exifprocessusercomment exifprocessIFDTAGimpl...

OSV-2021-669 Heap-buffer-overflow in _estrdup

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33495 Crash type: Heap-buffer-overflow READ Crash state: estrdup exifprocessusercomment exifprocessIFDTAGimpl...

OSV-2021-667 Heap-buffer-overflow in _estrdup

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33445 Crash type: Heap-buffer-overflow READ 12 Crash state: estrdup exifprocessusercomment exifprocessIFDTAGimpl...

OSV-2021-509 Heap-buffer-overflow in _estrdup

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31922 Crash type: Heap-buffer-overflow READ Crash state: estrdup exifprocessusercomment exifprocessIFDTAGimpl...

SUSE SLES12 Security Update : php72 (SUSE-SU-2019:2270-1)

This update for php72 fixes the following issues : Security issues fixed : CVE-2019-11041: Fixed heap buffer over-read in exifscanthumbnail bsc1146360. CVE-2019-11042: Fixed heap buffer over-read in exifprocessusercomment bsc1145095. Note that Tenable Network Security has extracted the preceding...

Internet Bug Bounty: Out of Bounds Memory Read in exif_process_user_comment

I have found and reported an out of bounds memory read in PHP exifprocessusercomment When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with dat...

PHP 7.2.x < 7.2.21 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.31, 7.2.x prior to 7.2.21 or 7.3.x prior to 7.3.8. It is, therefore, affected by the following vulnerabilities: - A heap-based buffer overflow condition exists on exifscanthumbnail. An attacker can...

PHP 7.3.x < 7.3.8 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.31, 7.2.x prior to 7.2.21 or 7.3.x prior to 7.3.8. It is, therefore, affected by the following vulnerabilities: - A heap-based buffer overflow condition exists on exifscanthumbnail. An attacker can...

PHP 7.1.x < 7.1.31 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.31, 7.2.x prior to 7.2.21 or 7.3.x prior to 7.3.8. It is, therefore, affected by the following vulnerabilities: - A heap-based buffer overflow condition exists on exifscanthumbnail. An attacker can...

CVE-2016-6292

The exifprocessusercomment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted JPEG image...

CVE-2016-6292

The exifprocessusercomment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted JPEG image...

CVE-2016-6292

Removed by vendor...

CVE-2016-6292

The exifprocessusercomment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted JPEG image...

Internet Bug Bounty: NULL Pointer Dereference in exif_process_user_comment

There is a bug occur in exifprocessusercomment when trying to encode JIS string. else if !memcmpszValuePtr, "JIS\0\0\0\0\0", 8 / JIS should be tanslated to MB or we leave it to the user - leave it to the user / pszEncoding = estrdupconst charszValuePtr; szValuePtr = szValuePtr+8; ByteCount -= 8; ...