PHP :: Bug #43790 :: DoS (segfault) in libgd TTF processing

Bug #43790	DoS (segfault) in libgd TTF processing
Submitted:	2008-01-09 00:49 UTC	Modified:	2008-01-09 02:02 UTC
From:	wccoder at gmail dot com	Assigned:	pajoye (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.2.5	OS:	Fedora Core 7, x64
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2008-01-09 00:49 UTC] wccoder at gmail dot com

Description:
------------
ext/gd/libgd/gdft.c:950

 if (font->face->charmap->encoding == FT_ENCODING_MS_SYMBOL && strcmp(font->face->family_name, "Symbol") == 0) {

A crafted .ttf file with a null font->face->family_name causes strcmp to attempt to access memory out of bounds and cores. I have a sample .ttf file I can send.

Reproduce code:
---------------
<?php
$size = imagettfbbox(10, 0, 'crafted_font.ttf', 'steve');
?>


Expected result:
----------------
The php process cores.

Actual result:
--------------
#0  0x000000356c876bd0 in strcmp () from /lib64/libc.so.6
#1  0x00000000004bc5b3 in php_gd_gdImageStringFTEx (im=0x0, brect=0x7fffbce07cc0, fg=-1, fontlist=0xba5b80 "shifter_3042_4.ttf", 
    ptsize=10, angle=0, x=-1, y=-1, string=0xba8fb8 "steve", strex=0x0) at /home/wccoder/build/php-5.2.5/ext/gd/libgd/gdft.c:953
#2  0x00000000004bbe2b in php_gd_gdImageStringFT (im=0x0, brect=0x7fffbce07cc0, fg=-1, fontlist=0xba5b80 "shifter_3042_4.ttf", 
    ptsize=10, angle=0, x=-1, y=-1, string=0xba8fb8 "steve") at /home/wccoder/build/php-5.2.5/ext/gd/libgd/gdft.c:769
#3  0x00000000004a3d44 in php_imagettftext_common (ht=<value optimized out>, return_value=0xba73f8, 
    return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>, 
    mode=<value optimized out>, extended=0) at /home/wccoder/build/php-5.2.5/ext/gd/gd.c:4303
#4  0x00000000004a3de6 in zif_imagettfbbox (ht=0, return_value=0x740fa0, return_value_ptr=0x7fffbce077d0, this_ptr=0x356cb4b760, 
    return_value_used=-1) at /home/wccoder/build/php-5.2.5/ext/gd/gd.c:4199
#5  0x0000000000665f1b in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffbce07f40)
    at /home/wccoder/build/php-5.2.5/Zend/zend_vm_execute.h:200
#6  0x0000000000665013 in execute (op_array=0xba6d58) at /home/wccoder/build/php-5.2.5/Zend/zend_vm_execute.h:92
#7  0x0000000000647013 in zend_execute_scripts (type=8, retval=0xbd8f80, file_count=3)
    at /home/wccoder/build/php-5.2.5/Zend/zend.c:1134
#8  0x000000000060776b in php_execute_script (primary_file=0x7fffbce0a5b0) at /home/wccoder/build/php-5.2.5/main/main.c:2004
#9  0x00000000006c1e42 in main (argc=3, argv=0x7fffbce0a7b8) at /home/wccoder/build/php-5.2.5/sapi/cli/php_cli.c:1140

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-09 01:18 UTC] pajoye@php.net

Please send me the font you used for the crash. It may be fixed in freetype instead, this structure is not supposed to be empty (lookup in the worst case).

pierre.dev at gmail.com

Thanks for your report!

[2008-01-09 01:30 UTC] pajoye@php.net

Actually, it can be NULL somehow (reading the ft code). I still wonder if it should not have some default value. I still like to have the font though (faster :)

[2008-01-09 02:02 UTC] pajoye@php.net

Fixed in 5.3, 5.2 and HEAD. Thanks again for your report!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 22:01:30 2024 UTC