php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #73867 CVE-2016-6912: Fix double-free in gdImageWebPtr()
Submitted: 2017-01-05 10:30 UTC Modified: 2017-01-18 15:12 UTC
From: ondrej@php.net Assigned: cmb (profile)
Status: Not a bug Package: GD related
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ondrej@php.net
New email:
PHP Version: OS:

 

 [2017-01-05 10:30 UTC] ondrej@php.net 
Description:
------------
This is a security sync with GD-2.2

~~~

The issue is that gdImageWebpCtx() (which is called by gdImageWebpPtr() and
the other WebP output functions to do the real work) does not return whether
it succeeded or failed, so this is not checked in gdImageWebpPtr() and the
function wrongly assumes everything is okay, which is not, in this case,
because there is a size limitation for WebP, namely that the width and
height must by less than 16383.

We can't change the signature of gdImageWebpCtx() for API compatibility
reasons, so we introduce the static helper _gdImageWebpCtx() which returns
success respective failure, so gdImageWebpPtr() and gdImageWebpPtrEx() can
check the return value. We leave it solely to libwebp for now to report
warnings regarding the failing write.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

Patches

0002-Fix-double-free-in-gdImageWebPtr.patch (last revision 2017-01-05 10:30 UTC by ondrej)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-05 15:32 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2017-01-05 15:32 UTC] cmb@php.net 
This issue doesn't affect PHP, because gdImageWebpPtr(Ex)() isn't
used at all, so this is actually not a bug. However, to avoid
leaking info about this GD issue, I suggest to keep this ticket
private until GD 2.2.4 will be released.
 [2017-01-16 17:20 UTC] cmb@php.net
-Status: Assigned +Status: Not a bug
 [2017-01-16 17:20 UTC] cmb@php.net 
As said above, this is not a bug for PHP.
 [2017-01-18 15:12 UTC] cmb@php.net 
GD 2.2.4 has been released, so I'm revealing this ticket.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 13:01:30 2024 UTC