php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71952 Corruption inside imageaffinematrixget
Submitted: 2016-04-04 07:08 UTC Modified: 2016-04-19 06:31 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: GD related
PHP Version: 5.6.20 OS: Linux
Private report: No CVE-ID:
 [2016-04-04 07:08 UTC] fernando at null-life dot com
Description:
------------
When passing an element from an array to imageaffinematrixget's second parameter it will change some of it's content and corrupt the value of it, this could cause additional memory issues when the corrupt value is used in other functions. 

Test case 1 seems to be reading data from somewhere else.

In the test case 2 and 3, it makes the interpreter believe that the string has a -1294975648 length.

This was tested on a 32 bits system.

Test script:
---------------
Test case 1:
<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   $vals=[str_repeat("A", "200" ), 0, 1, 2, 3,4,5,6,7,8,9];
imageaffinematrixget(4,$vals[0]);
var_dump($vals[0]);
                                                                                                                                                                                                                                                    

Test case 2:
<?php

for($i=0;$i<3990;++$i){$arr[]=[];};
$vals=["AA",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],0,0,0,0,0,[],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],[],[],0,0,0,0,$arr,0,0,0,0,0,0,0,0,0,0,0];
imageaffinematrixget(4,$vals[0]);
str_replace(0,$vals[83],0);
var_dump($vals[0]);  //defined($vals[0]);

Test case 3:
<?php

for($i=0;$i<3990;++$i){$arr[]=[];};
$vals=["AA",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],0,0,0,0,0,[],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],[],[],0,0,0,0,$arr,0,0,0,0,0,0,0,0,0,0,0];
imageaffinematrixget(4,$vals[0]);
str_replace(0,$vals[83],0);
defined($vals[0]);

Expected result:
----------------
Case 1:
string(200) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Case 2 and 3:
At least not crash



Actual result:
--------------
Case 1:
string(200) "l?m???m?1ent-type: text/html; charset=UTF-8A1??-4?m??m?p?m?-?m?"

Case 2:
string(-1294975648) "ASAN:SIGSEGV
=================================================================
==3788==ERROR: AddressSanitizer: SEGV on unknown address 0x00000028 (pc 0x09309ea4 bp 0xb422ac58 sp 0xbfffc160 T0)
    #0 0x9309ea3 in zend_mm_remove_from_free_list /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_alloc.c:837
    #1 0x9309ea3 in _zend_mm_free_int /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_alloc.c:2105
    #2 0x9309ea3 in _efree /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_alloc.c:2440
    #3 0x93d0748 in _zval_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_variables.h:35
    #4 0x93d0748 in i_zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute.h:79
    #5 0x93d0748 in _zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:424
    #6 0x94fa093 in zend_hash_destroy /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:548
    #7 0x946eea4 in _zval_dtor_func /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_variables.c:45
    #8 0x93d0748 in _zval_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_variables.h:35
    #9 0x93d0748 in i_zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute.h:79
    #10 0x93d0748 in _zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:424
    #11 0x94fc1b7 in i_zend_hash_bucket_delete /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:182
    #12 0x94fc1b7 in zend_hash_bucket_delete /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:192
    #13 0x94fc1b7 in zend_hash_graceful_reverse_destroy /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:613
    #14 0x93d401d in shutdown_executor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:244
    #15 0x9475b3a in zend_deactivate /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:960
    #16 0x9182057 in php_request_shutdown /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:1883
    #17 0x9a9d5c4 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1177
    #18 0x8088248 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #19 0xb763f645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #20 0x808881b  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x808881b)

Case 3:


==3821==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4250800 at pc 0x095058b9 bp 0xbfffa9e8 sp 0xbfffa9d8
READ of size 1 at 0xb4250800 thread T0
    #0 0x95058b8 in zend_inline_hash_func /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.h:279
    #1 0x95058b8 in zend_hash_find /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:846
    #2 0x93ca9d5 in zend_get_constant /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_constants.c:279
    #3 0x93cbe75 in zend_get_constant_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_constants.c:435
    #4 0x952bb27 in zif_defined /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_builtin_functions.c:739
    #5 0x9a92c45 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #6 0x967ec95 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #7 0x982b063 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #8 0x948181b in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341
    #9 0x9186515 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597
    #10 0x9a9fa68 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994
    #11 0x8088248 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #12 0xb763f645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #13 0x808881b  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x808881b)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-19 06:31 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-04-19 06:31 UTC] stas@php.net
Doesn't look like security issue to me.
 [2016-04-19 06:33 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f061867fd385109861d128ae6f3e2484fc4daa72
Log: Fix bug #71952: Corruption inside imageaffinematrixget
 [2016-04-19 06:33 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-04-19 06:34 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f061867fd385109861d128ae6f3e2484fc4daa72
Log: Fix bug #71952: Corruption inside imageaffinematrixget
 [2016-04-28 00:34 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0cc5e91d529cd8bbcbf277f950ee30026b3c5454
Log: Fix bug #71952: Corruption inside imageaffinematrixget
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jun 28 12:01:42 2017 UTC