PHP exif_process NULL Pointer DoS

February 9, 2018

A code execution vulnerability exists in PHP's exif extension module, which could cause denial of service on the server side. An attacker can exploit this vulnerability by sending a certain crafted JPEG or TIFF file to a web application.

The cause of this vulnerability is due to a null pointer exception during PHP parsing the exif part of a picture file. When handling the exif section, the PHP module will have a series of encoding converter functions.

exif_read_data() (If the Exif data contains a user comment tag)
-----> exif_process_user_comment() (If encoding designation for the string contains "JIS" and 5 null bytes)
-----> zend_multibyte_encoding_converter()
-----> zend_multibyte_fetch_encoding()


The return value of zend_multibyte_fetch_encoding() will be passed to zend_multibyte_encoding_converter as a pointer parameter.

ZEND_API size_t zend_multibyte_encoding_converter(
unsigned char **to,
size_t *to_length,
const unsigned char *from,
size_t from_length,
const zend_encoding *encoding_to,
const zend_encoding *encoding_from)


In the zend_multibyte_fetch_encoding(), the encode_jis section in the file will be passed in as a parameter, which could be set to null by malicious input, and eventually makes zend_multibyte_fetch_encoding() returns null. Thus, the zend_multibyte_encoding_converter will trigger a null pointer falier, cauing the web application DoS.


SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13182: PHP exif_process NULL Pointer Dereference 2