PHP exif_process NULL Pointer DoS


A code execution vulnerability exists in PHP’s exif extension module, which could cause denial of service on the server side. An attacker can exploit this vulnerability by sending a certain crafted JPEG or TIFF file to a web application.

The cause of this vulnerability is due to a null pointer exception during PHP parsing the exif part of a picture file. When handling the exif section, the PHP module will have a series of encoding converter functions.

exif_read_data() (If the Exif data contains a user comment tag)
-----> exif_process_user_comment() (If encoding designation for the string contains "JIS" and 5 null bytes)
-----> zend_multibyte_encoding_converter()
-----> zend_multibyte_fetch_encoding()


The return value of zend_multibyte_fetch_encoding() will be passed to zend_multibyte_encoding_converter as a pointer parameter.

ZEND_API size_t zend_multibyte_encoding_converter(
unsigned char **to,
size_t *to_length,
const unsigned char *from,
size_t from_length,
const zend_encoding *encoding_to,
const zend_encoding *encoding_from)


In the zend_multibyte_fetch_encoding(), the encode_jis section in the file will be passed in as a parameter, which could be set to null by malicious input, and eventually makes zend_multibyte_fetch_encoding() returns null. Thus, the zend_multibyte_encoding_converter will trigger a null pointer falier, cauing the web application DoS.


SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13182: PHP exif_process NULL Pointer Dereference 2
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.