Skip to content

Fix integer underflow in exif HEIF parsing #20630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Oblivionsage wants to merge 2 commits into from
Closed

Fix integer underflow in exif HEIF parsing #20630

Oblivionsage wants to merge 2 commits into from

Conversation

@Oblivionsage
Copy link
Contributor

@Oblivionsage Oblivionsage commented Dec 2, 2025
edited
Loading

When pos.size is less than 2, the subtraction pos.size - 2 causes an unsigned integer underflow, resulting in a ~4GB allocation attempt.

Add minimum size check (pos.size >= 2) to prevent the underflow.

Closes #20631

@Oblivionsage
Fix integer underflow in exif HEIF parsing
472f09e 
When pos.size is less than 2, the subtraction pos.size - 2 causes
an unsigned integer underflow, resulting in a ~4GB allocation attempt.

Add minimum size check (pos.size >= 2) to prevent the underflow.
@Oblivionsage Oblivionsage mentioned this pull request Dec 2, 2025
Closed
ndossche
ndossche approved these changes Dec 2, 2025
View reviewed changes
Copy link
Member

@ndossche ndossche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
For the future, this should actually target the PHP-8.5 branch. That's because bugfixes always should target the lowest supported branch and we will merge upwards.
Doesn't matter now as I'll just cherry-pick into the right branch.
Leaving this open for a bit to see if anyone else has comments.

bukka
bukka reviewed Dec 2, 2025
View reviewed changes
Copy link
Member

@bukka bukka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test with that malicious image that you have?

@Oblivionsage
Copy link
Contributor Author

Oblivionsage commented Dec 2, 2025

Can you add a test with that malicious image that you have?

added a test in the second commit , it patches image029.heic to set extent_length=1 and verifies the fix handles it gracefully

ndossche
ndossche approved these changes Dec 3, 2025
View reviewed changes
Copy link
Member

@ndossche ndossche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@ndossche ndossche closed this in 6a0da6d Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka bukka left review comments

@ndossche ndossche ndossche approved these changes

Assignees

No one assigned

Labels

Extension: exif

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Integer underflow in exif HEIF parsing when pos.size < 2

3 participants

@Oblivionsage @bukka @ndossche