php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68601 buffer read overflow in gd_gif_in.c
Submitted: 2014-12-13 07:52 UTC Modified: 2015-03-24 09:31 UTC
From: remi@php.net Assigned: remi
Status: Closed Package: GD related
PHP Version: 5.4.35 OS: irrevelant
Private report: No CVE-ID: 2014-9709
 [2014-12-13 07:52 UTC] remi@php.net
Description:
------------
An ASAN'ified call looks like this:

./giftogd2 asan_stack-oob_53533d_34_adaf0da1764aafb7039440dbe098569b.gif
/tmp/null 1 1
=================================================================
==23529==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff7ca923b8 at pc 0x53533d bp 0x7fff7ca80750 sp 0x7fff7ca80748
READ of size 1 at 0x7fff7ca923b8 thread T0
    #0 0x53533c in GetCode_ /libgd-2.1.0_master/master/src/gd_gif_in.c:471
    #1 0x5332d1 in GetCode /libgd-2.1.0_master/master/src/gd_gif_in.c:484
    #2 0x53044e in LWZReadByte_ /libgd-2.1.0_master/master/src/gd_gif_in.c:538
    #3 0x52e7b5 in LWZReadByte /libgd-2.1.0_master/master/src/gd_gif_in.c:627
    #4 0x52d5cf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:677
    #5 0x52a760 in gdImageCreateFromGifCtx
/libgd-2.1.0_master/master/src/gd_gif_in.c:311
    #6 0x52822e in gdImageCreateFromGif
/libgd-2.1.0_master/master/src/gd_gif_in.c:154
    #7 0x47d204 in main /libgd-2.1.0_master/master/src/giftogd2.c:32
    #8 0x7f5e313afec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x47cbcc in _start
(/libgd-2.1.0_master/master/f_app_src/giftogd2+0x47cbcc)

Address 0x7fff7ca923b8 is located in stack of thread T0 at offset 66744 in frame
    #0 0x52c6bf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:638

  This frame has 14 object(s):
    [32, 40) ''
    [96, 104) ''
    [160, 164) ''
    [224, 228) ''
    [288, 296) ''
    [352, 356) ''
    [416, 424) ''
    [480, 481) 'c'
    [544, 548) 'xpos'
    [608, 612) 'ypos'
    [672, 676) 'pass'
    [736, 740) 'v'
    [800, 804) 'i'
    [864, 66744) 'sd' <== Memory access at offset 66744 overflows this variable
SUMMARY: AddressSanitizer: stack-buffer-overflow
/libgd-2.1.0_master/master/src/gd_gif_in.c:471 GetCode_
Shadow bytes around the buggy address:
  0x10006f94a420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006f94a470: 00 00 00 00 00 00 00[f4]f3 f3 f3 f3 00 00 00 00
  0x10006f94a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==23529==ABORTING




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-13 07:54 UTC] remi@php.net
-Assigned To: +Assigned To: remi
 [2014-12-13 08:07 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2014-12-13 08:07 UTC] remi@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fixed in http://git.php.net/?p=php-src.git;a=commitdiff;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
 [2015-03-24 09:31 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2014-9709
 [2015-03-24 09:31 UTC] kaplan@php.net
Add CVE-2014-9709 per http://seclists.org/oss-sec/2015/q1/973
 [2015-03-28 11:30 UTC] ghedo at debian dot org
Hello,

is the test case available anywhere?

Thanks
 [2015-04-06 00:38 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b
Log: Fix bug #68601 buffer read overflow in gd_gif_in.c
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 10:01:38 2017 UTC