PHP :: Bug #66387 :: Stack overflow with imagefilltoborder

Bug #66387	Stack overflow with imagefilltoborder
Submitted:	2014-01-02 06:03 UTC	Modified:	2016-06-13 06:23 UTC
From:	fernando at null-life dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.5.36	OS:	*
Private report:	No	CVE-ID:	2015-8874

View Developer Edit

[2014-01-02 06:03 UTC] fernando at null-life dot com

Description:
------------
There is a stack overflow inside imagefilltoborder.

Test script:
---------------
$im = imagecreatetruecolor(20, 20);
$c = imagecolorallocate($im, 255, 0, 0);
imagefilltoborder($im, 0, -999355, $c, $c);

Expected result:
----------------
Not crash/image

Actual result:
--------------
(13cc.e2c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=fff4cb4b ecx=000f4240 edx=00000000 esi=00d9dca0 edi=ffffffff
eip=675cca19 esp=003d3000 ebp=003d3004 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
*** WARNING: Unable to verify checksum for C:\php\php_gd2.dll
php_gd2!php_gd_gdImageSetPixel+0x9:
675cca19 57              push    edi
0:000> k
ChildEBP RetAddr  
003d3004 675cb829 php_gd2!php_gd_gdImageSetPixel+0x9 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 723]
003d3034 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x79 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1786]
003d3068 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d309c 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d30d0 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d3104 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d3138 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d316c 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d31a0 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
...

Patches

CVE-2015-8874 (last revision 2021-08-17 02:24 UTC by 474021880 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-06 17:50 UTC] scott at arciszewski dot me

https://github.com/php/php-src/blob/PHP-5.5.7/ext/gd/libgd/gd.c#L1827

Indeed. Does anyone want to patch it for 5.5.8?

[2015-07-20 21:19 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Operating System: Windows +Operating System: * -PHP Version: 5.5.7 +PHP Version: 5.6.11 -Assigned To: +Assigned To: cmb

[2015-07-20 21:19 UTC] cmb@php.net

Well, the recursive algorithm might not be the perfect solution,
but the real issue here is that a very large negative coordinate
is passed to imagefilltoborder(). If the coordinates were properly
clipped[1], the test script would run fine.

Of course, the same problem would occur for very large images, but
its not unlikely that such images can't be allocated anyway (see
bug #66488), and I expect other issues with very large images as
well.

[1] <https://github.com/php/php-src/blob/PHP-5.5.7/ext/gd/libgd/gd.c#L1775-L1780>

[2015-07-20 21:51 UTC] cmb@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Log: Fix #66387: Stack overflow with imagefilltoborder

[2015-07-20 21:51 UTC] cmb@php.net

-Status: Analyzed +Status: Closed

[2015-07-20 22:01 UTC] cmb@php.net

Reported upstream: <https://github.com/libgd/libgd/issues/178>.

[2015-07-21 14:20 UTC] ab@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-07 10:32 UTC] cmb@php.net

Related To: Bug #69177

[2016-06-07 18:48 UTC] kaplan@php.net

-CVE-ID: +CVE-ID: 2015-8874

[2016-06-13 06:20 UTC] ab@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-13 06:22 UTC] ab@php.net

Related To: Bug #72350

[2016-06-13 06:23 UTC] stas@php.net

-PHP Version: 5.6.11 +PHP Version: 5.5.36

[2016-06-21 07:03 UTC] stas@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-21 07:26 UTC] stas@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-22 05:58 UTC] krakjoe@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2018-01-25 12:07 UTC] cmb@php.net

Related To: Bug #75788

[2021-08-17 02:24 UTC] 474021880 at qq dot com

The following patch has been added/updated:

Patch Name: CVE-2015-8874
Revision:   1629167095
URL:        https://bugs.php.net/patch-display.php?bug=66387&patch=CVE-2015-8874&revision=1629167095

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC