php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66387 Stack overflow with imagefilltoborder
Submitted: 2014-01-02 06:03 UTC Modified: 2016-06-13 06:23 UTC
From: fernando at null-life dot com Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.5.36 OS: *
Private report: No CVE-ID: 2015-8874
 [2014-01-02 06:03 UTC] fernando at null-life dot com
Description:
------------
There is a stack overflow inside imagefilltoborder.

Test script:
---------------
$im = imagecreatetruecolor(20, 20);
$c = imagecolorallocate($im, 255, 0, 0);
imagefilltoborder($im, 0, -999355, $c, $c);

Expected result:
----------------
Not crash/image

Actual result:
--------------
(13cc.e2c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=fff4cb4b ecx=000f4240 edx=00000000 esi=00d9dca0 edi=ffffffff
eip=675cca19 esp=003d3000 ebp=003d3004 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
*** WARNING: Unable to verify checksum for C:\php\php_gd2.dll
php_gd2!php_gd_gdImageSetPixel+0x9:
675cca19 57              push    edi
0:000> k
ChildEBP RetAddr  
003d3004 675cb829 php_gd2!php_gd_gdImageSetPixel+0x9 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 723]
003d3034 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x79 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1786]
003d3068 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d309c 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d30d0 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d3104 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d3138 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d316c 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d31a0 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
...

Patches

CVE-2015-8874 (last revision 2021-08-17 02:24 UTC by 474021880 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-06 17:50 UTC] scott at arciszewski dot me
https://github.com/php/php-src/blob/PHP-5.5.7/ext/gd/libgd/gd.c#L1827

Indeed. Does anyone want to patch it for 5.5.8?
 [2015-07-20 21:19 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Operating System: Windows +Operating System: * -PHP Version: 5.5.7 +PHP Version: 5.6.11 -Assigned To: +Assigned To: cmb
 [2015-07-20 21:19 UTC] cmb@php.net
Well, the recursive algorithm might not be the perfect solution,
but the real issue here is that a very large negative coordinate
is passed to imagefilltoborder(). If the coordinates were properly
clipped[1], the test script would run fine.

Of course, the same problem would occur for very large images, but
its not unlikely that such images can't be allocated anyway (see
bug #66488), and I expect other issues with very large images as
well.

[1] <https://github.com/php/php-src/blob/PHP-5.5.7/ext/gd/libgd/gd.c#L1775-L1780>
 [2015-07-20 21:51 UTC] cmb@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Log: Fix #66387: Stack overflow with imagefilltoborder
 [2015-07-20 21:51 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2015-07-20 22:01 UTC] cmb@php.net
Reported upstream: <https://github.com/libgd/libgd/issues/178>.
 [2015-07-21 14:20 UTC] ab@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Log: Fix #66387: Stack overflow with imagefilltoborder
 [2016-06-07 18:48 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2015-8874
 [2016-06-13 06:20 UTC] ab@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder
 [2016-06-13 06:23 UTC] stas@php.net
-PHP Version: 5.6.11 +PHP Version: 5.5.36
 [2016-06-21 07:03 UTC] stas@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder
 [2016-06-21 07:26 UTC] stas@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder
 [2016-06-22 05:58 UTC] krakjoe@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder
 [2021-08-17 02:24 UTC] 474021880 at qq dot com
The following patch has been added/updated:

Patch Name: CVE-2015-8874
Revision:   1629167095
URL:        https://bugs.php.net/patch-display.php?bug=66387&patch=CVE-2015-8874&revision=1629167095
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC