php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68601 buffer read overflow in gd_gif_in.c
Submitted: 2014-12-13 07:52 UTC Modified: 2015-03-24 09:31 UTC
From: remi@php.net Assigned: remi (profile)
Status: Closed Package: GD related
PHP Version: 5.4.35 OS: irrevelant
Private report: No CVE-ID: 2014-9709
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: remi@php.net
New email:
PHP Version: OS:

 

 [2014-12-13 07:52 UTC] remi@php.net
Description:
------------
An ASAN'ified call looks like this:

./giftogd2 asan_stack-oob_53533d_34_adaf0da1764aafb7039440dbe098569b.gif
/tmp/null 1 1
=================================================================
==23529==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff7ca923b8 at pc 0x53533d bp 0x7fff7ca80750 sp 0x7fff7ca80748
READ of size 1 at 0x7fff7ca923b8 thread T0
    #0 0x53533c in GetCode_ /libgd-2.1.0_master/master/src/gd_gif_in.c:471
    #1 0x5332d1 in GetCode /libgd-2.1.0_master/master/src/gd_gif_in.c:484
    #2 0x53044e in LWZReadByte_ /libgd-2.1.0_master/master/src/gd_gif_in.c:538
    #3 0x52e7b5 in LWZReadByte /libgd-2.1.0_master/master/src/gd_gif_in.c:627
    #4 0x52d5cf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:677
    #5 0x52a760 in gdImageCreateFromGifCtx
/libgd-2.1.0_master/master/src/gd_gif_in.c:311
    #6 0x52822e in gdImageCreateFromGif
/libgd-2.1.0_master/master/src/gd_gif_in.c:154
    #7 0x47d204 in main /libgd-2.1.0_master/master/src/giftogd2.c:32
    #8 0x7f5e313afec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x47cbcc in _start
(/libgd-2.1.0_master/master/f_app_src/giftogd2+0x47cbcc)

Address 0x7fff7ca923b8 is located in stack of thread T0 at offset 66744 in frame
    #0 0x52c6bf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:638

  This frame has 14 object(s):
    [32, 40) ''
    [96, 104) ''
    [160, 164) ''
    [224, 228) ''
    [288, 296) ''
    [352, 356) ''
    [416, 424) ''
    [480, 481) 'c'
    [544, 548) 'xpos'
    [608, 612) 'ypos'
    [672, 676) 'pass'
    [736, 740) 'v'
    [800, 804) 'i'
    [864, 66744) 'sd' <== Memory access at offset 66744 overflows this variable
SUMMARY: AddressSanitizer: stack-buffer-overflow
/libgd-2.1.0_master/master/src/gd_gif_in.c:471 GetCode_
Shadow bytes around the buggy address:
  0x10006f94a420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006f94a470: 00 00 00 00 00 00 00[f4]f3 f3 f3 f3 00 00 00 00
  0x10006f94a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006f94a4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==23529==ABORTING




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-13 07:54 UTC] remi@php.net
-Assigned To: +Assigned To: remi
 [2014-12-13 08:07 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2014-12-13 08:07 UTC] remi@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fixed in http://git.php.net/?p=php-src.git;a=commitdiff;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
 [2015-03-24 09:31 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2014-9709
 [2015-03-24 09:31 UTC] kaplan@php.net
Add CVE-2014-9709 per http://seclists.org/oss-sec/2015/q1/973
 [2015-03-28 11:30 UTC] ghedo at debian dot org
Hello,

is the test case available anywhere?

Thanks
 [2015-04-06 00:38 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b
Log: Fix bug #68601 buffer read overflow in gd_gif_in.c
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Fri Feb 07 20:01:29 2025 UTC