How the Vulnerabilities Work
Two critical memory safety flaws have been discovered in PHP’s image processing functions, specifically within the `getimagesize` and `iptcembed` functions. These functions are widely used by web applications to parse JPEG metadata and embedded IPTC data. The first issue involves a bug in the `php_read_stream_all_chunks` function, which handles JPEG application segments read across multiple chunks. When this function processes large APP segments—such as those containing EXIF or IPTC metadata—it allocates uninitialized heap memory but fails to properly advance a buffer pointer after each read operation. This error causes later data chunks to overwrite the buffer’s start, leaving tail bytes uninitialized. As a result, sensitive fragments of server memory can be exposed when a web application returns the processed metadata to the attacker. The second flaw is a classic heap buffer overflow in the `iptcembed` function. The function measures the input file size once and uses that measurement throughout the entire read operation. If an attacker sends a crafted JPEG where the file size changes mid stream—for example, due to PHP stream filters—the function may write beyond the allocated buffer. This can corrupt adjacent heap memory, potentially leading to a denial of service or, in some scenarios, arbitrary code execution.
Impact and Scope
The vulnerabilities affect multiple PHP version branches, including 8.1.x before 8.1.34, 8.2.x before 8.2.30, 8.3.x before 8.3.29, 8.4.x before 8.4.16, and 8.5.x before 8.5.1. Patches have been released, and administrators are urged to upgrade immediately. The attack surface is broad: any public facing web application that accepts user uploaded images and calls `getimagesize` or `iptcembed` can be exploited, including content management systems, webmail services, and image CDNs. An attacker only needs to upload a malicious JPEG file to trigger the memory leak or overflow. Given the global use of PHP and the prevalence of image upload features, these flaws pose a moderate but realistic risk to server security.
Source: Cyber Security News
