PHP :: Bug #66387 :: Stack overflow with imagefilltoborder

Bug #66387	Stack overflow with imagefilltoborder
Submitted:	2014-01-02 06:03 UTC	Modified:	2016-06-13 06:23 UTC
From:	fernando at null-life dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.5.36	OS:	*
Private report:	No	CVE-ID:	2015-8874

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2014-01-02 06:03 UTC] fernando at null-life dot com

Description:
------------
There is a stack overflow inside imagefilltoborder.

Test script:
---------------
$im = imagecreatetruecolor(20, 20);
$c = imagecolorallocate($im, 255, 0, 0);
imagefilltoborder($im, 0, -999355, $c, $c);

Expected result:
----------------
Not crash/image

Actual result:
--------------
(13cc.e2c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=fff4cb4b ecx=000f4240 edx=00000000 esi=00d9dca0 edi=ffffffff
eip=675cca19 esp=003d3000 ebp=003d3004 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
*** WARNING: Unable to verify checksum for C:\php\php_gd2.dll
php_gd2!php_gd_gdImageSetPixel+0x9:
675cca19 57              push    edi
0:000> k
ChildEBP RetAddr  
003d3004 675cb829 php_gd2!php_gd_gdImageSetPixel+0x9 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 723]
003d3034 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x79 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1786]
003d3068 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d309c 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d30d0 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d3104 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d3138 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d316c 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
003d31a0 675cb938 php_gd2!php_gd_gdImageFillToBorder+0x188 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\gd.c @ 1827]
...

Patches

CVE-2015-8874 (last revision 2021-08-17 02:24 UTC by 474021880 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-06 17:50 UTC] scott at arciszewski dot me

https://github.com/php/php-src/blob/PHP-5.5.7/ext/gd/libgd/gd.c#L1827

Indeed. Does anyone want to patch it for 5.5.8?

[2015-07-20 21:19 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Operating System: Windows +Operating System: * -PHP Version: 5.5.7 +PHP Version: 5.6.11 -Assigned To: +Assigned To: cmb

[2015-07-20 21:19 UTC] cmb@php.net

Well, the recursive algorithm might not be the perfect solution,
but the real issue here is that a very large negative coordinate
is passed to imagefilltoborder(). If the coordinates were properly
clipped[1], the test script would run fine.

Of course, the same problem would occur for very large images, but
its not unlikely that such images can't be allocated anyway (see
bug #66488), and I expect other issues with very large images as
well.

[1] <https://github.com/php/php-src/blob/PHP-5.5.7/ext/gd/libgd/gd.c#L1775-L1780>

[2015-07-20 21:51 UTC] cmb@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Log: Fix #66387: Stack overflow with imagefilltoborder

[2015-07-20 21:51 UTC] cmb@php.net

-Status: Analyzed +Status: Closed

[2015-07-20 22:01 UTC] cmb@php.net

Reported upstream: <https://github.com/libgd/libgd/issues/178>.

[2015-07-21 14:20 UTC] ab@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-07 10:32 UTC] cmb@php.net

Related To: Bug #69177

[2016-06-07 18:48 UTC] kaplan@php.net

-CVE-ID: +CVE-ID: 2015-8874

[2016-06-13 06:20 UTC] ab@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-13 06:22 UTC] ab@php.net

Related To: Bug #72350

[2016-06-13 06:23 UTC] stas@php.net

-PHP Version: 5.6.11 +PHP Version: 5.5.36

[2016-06-21 07:03 UTC] stas@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-21 07:26 UTC] stas@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2016-06-22 05:58 UTC] krakjoe@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f96ebb098697908641c6d37e1149cde1f90417fd
Log: Fix #66387: Stack overflow with imagefilltoborder

[2018-01-25 12:07 UTC] cmb@php.net

Related To: Bug #75788

[2021-08-17 02:24 UTC] 474021880 at qq dot com

The following patch has been added/updated:

Patch Name: CVE-2015-8874
Revision:   1629167095
URL:        https://bugs.php.net/patch-display.php?bug=66387&patch=CVE-2015-8874&revision=1629167095

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC