|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41630 Non-exploitable (DoS) heap corruption with GIF
Submitted: 2007-06-07 19:37 UTC Modified: 2007-06-08 05:31 UTC
From: wccoder at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: GD related
PHP Version: 5.2.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: wccoder at gmail dot com
New email:
PHP Version: OS:


 [2007-06-07 19:37 UTC] wccoder at gmail dot com
The corruption actually happens at ext/gd/libgd/gd_gif_in.c:590-594

590             while ((v = LWZReadByte(fd, &sd, FALSE, c, ZeroDataBlockP)) >= 0 ) {
591                     /* This how we recognize which colors are actually used. */
592                     if (im->open[v]) {
593                             im->open[v] = 0;
594                     }

Values read from the data stream are not bounds-checked. An attacker can create values of v (type int) which are larger than the array im->open (256 bytes). If the value of im->open[v] happens to be non-zero, it is overwritten with a zero on line 593. This corrupts the heap. The attacker can't control what value is overwritten (always 0), but they could control which bytes are overwritten. libgd should clamp values of v to be between acceptable values [0,255].

Note that values of v are clamped to 4096, since this is the maximum number of bits per codeword that gd will accept, so it isn't an arbitrary overwrite. It is enough to corrupt the heap and cause a DoS though.

Reproduce code:
I have a sample .gif file. Email me for it.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-07 20:15 UTC]
> I have a sample .gif file. Email me for it.

done, I sent you a mail.
 [2007-06-08 05:31 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Fixed in all active branches. Thanks for your report!
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 11:01:25 2019 UTC