CVE-2019-11925

Summary

Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.21.0affected
FacebookHHVM4.20.2affected
FacebookHHVM4.20.0 < unspecifiedaffected
FacebookHHVM4.19.1affected
FacebookHHVM4.19.0 < unspecifiedaffected
FacebookHHVM4.18.2affected
FacebookHHVM4.18.0 < unspecifiedaffected
FacebookHHVM4.17.3affected
FacebookHHVM4.17.0 < unspecifiedaffected
FacebookHHVM4.16.4affected
FacebookHHVM4.16.0 < unspecifiedaffected
FacebookHHVM4.15.3affected
FacebookHHVM4.9.0 < unspecifiedaffected
FacebookHHVM4.8.4affected
FacebookHHVM4.0.0 < unspecifiedaffected
FacebookHHVM3.30.10affected
FacebookHHVMunspecified <= 3.30.9affected

Weaknesses

  • CWE-119: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

ADP Enrichment

CVE Program Container

Additional References

References