php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72227 imagescale out-of-bounds read
Submitted: 2016-05-17 03:16 UTC Modified: 2016-05-26 21:04 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: GD related
PHP Version: 5.5.35 OS: Linux
Private report: No CVE-ID: 2013-7456
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-05-17 03:16 UTC] fernando at null-life dot com
Description:
------------
Tested on PHP 7  on 32 bits with ASAN and using USE_ZEND_ALLOC=0.

user@Xenial32-2:~/crashes/gd$ USE_ZEND_ALLOC=0 gdb -q --args /home/user/php-7.0/sapi/cli/php -n phuzz4.php

Reading symbols from /home/user/php-7.0/sapi/cli/php...done.
(gdb) b gd_interpolation.c:890
Breakpoint 1 at 0x81925a9: file /home/user/php-7.0/ext/gd/libgd/gd_interpolation.c, line 890.
(gdb) b gd_interpolation.c:982 if i == 12
Breakpoint 2 at 0x81929fc: file /home/user/php-7.0/ext/gd/libgd/gd_interpolation.c, line 982.
(gdb) r
Starting program: /home/user/php-7.0/sapi/cli/php -n phuzz4.php

Breakpoint 1, _gdContributionsAlloc (line_length=13, windows_size=9) at /home/user/php-7.0/ext/gd/libgd/gd_interpolation.c:890
890         res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));

# windows_size is 9 

(gdb) c
Continuing.

Breakpoint 2, _gdScaleRow (pSrc=0x8c71c38, src_width=100, dst=0x8c7f5f0, dst_width=13, row=0, contrib=0x8c5c2d8)
    at /home/user/php-7.0/ext/gd/libgd/gd_interpolation.c:982
982                 r += (unsigned char)(contrib->ContribRow[x].Weights[left_channel] * (double)(gdTrueColorGetRed(p_src_row[i])));
(gdb) p left_channel
$1 = 9

contrib->ContribRow[x].Weights[left_channel] tries to access 10th element but the size is 9.

As you can see here, this was fixed in 2013 on upstream libgd: 

https://github.com/libgd/libgd/commit/4f65a3e4eedaffa1efcf9ee1eb08f0b504fbc31a

While PHP's libgd is still wrong:

https://github.com/php/php-src/blob/master/ext/gd/libgd/gd_interpolation.c#L935-L936

Fix is just moving those two lines below the if condition. Attached a patch.



Test script:
---------------
<?php

$img = imagecreatetruecolor ( 100, 100);
imagescale($img, 13, 1, IMG_BICUBIC);

Expected result:
----------------
No crash

Actual result:
--------------
$ USE_ZEND_ALLOC=0 /ramdisk/php-70/sapi/cli/php -n phuzz4.php
=================================================================
==6666==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1202ec8 at pc 0x0869258e bp 0xffc3db68 sp 0xffc3db58
READ of size 8 at 0xf1202ec8 thread T0
    #0 0x869258d in _gdScaleRow /home/user/php-7.0asan/ext/gd/libgd/gd_interpolation.c:980
    #1 0x869258d in _gdScaleHoriz /home/user/php-7.0asan/ext/gd/libgd/gd_interpolation.c:1008
    #2 0x869258d in gdImageScaleTwoPass /home/user/php-7.0asan/ext/gd/libgd/gd_interpolation.c:1072
    #3 0x86a1525 in gdImageScale /home/user/php-7.0asan/ext/gd/libgd/gd_interpolation.c:1659
    #4 0x85ba750 in zif_imagescale /home/user/php-7.0asan/ext/gd/gd.c:4674
    #5 0x9a31522 in ZEND_DO_ICALL_SPEC_HANDLER /home/user/php-7.0asan/Zend/zend_vm_execute.h:586
    #6 0x980f979 in execute_ex /home/user/php-7.0asan/Zend/zend_vm_execute.h:414
    #7 0x9b29bf2 in zend_execute /home/user/php-7.0asan/Zend/zend_vm_execute.h:458
    #8 0x95e8bcc in zend_execute_scripts /home/user/php-7.0asan/Zend/zend.c:1427
    #9 0x932dfeb in php_execute_script /home/user/php-7.0asan/main/main.c:2494
    #10 0x9b32370 in do_cli /home/user/php-7.0asan/sapi/cli/php_cli.c:974
    #11 0x80a6596 in main /home/user/php-7.0asan/sapi/cli/php_cli.c:1344
    #12 0xf6ceb636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #13 0x80a6b1a  (/ramdisk/php-70/sapi/cli/php+0x80a6b1a)

0xf1202ec8 is located 0 bytes to the right of 72-byte region [0xf1202e80,0xf1202ec8)
allocated by thread T0 here:
    #0 0xf72ead06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0x94b77d9 in _emalloc /home/user/php-7.0asan/Zend/zend_alloc.c:2446

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/php-7.0asan/ext/gd/libgd/gd_interpolation.c:980 _gdScaleRow
Shadow bytes around the buggy address:
  0x3e240580: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x3e240590: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e2405a0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x3e2405b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x3e2405c0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x3e2405d0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa 00 00
  0x3e2405e0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x3e2405f0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
  0x3e240600: 00 00 01 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x3e240610: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x3e240620: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==6666==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-23 07:35 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-05-23 07:35 UTC] stas@php.net
In security repo as 7a1aac3343af85b4af4df5f8844946eaa27394ab and in https://gist.github.com/73e16fbf1dfae02b4680ac12c1f31668, Please verify.
 [2016-05-23 21:55 UTC] fernando at null-life dot com
Patch works OK. Thanks.
 [2016-05-24 22:55 UTC] stas@php.net
-PHP Version: 7.0.6 +PHP Version: 5.5.35
 [2016-05-24 23:30 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a1aac3343af85b4af4df5f8844946eaa27394ab
Log: Fixed bug #72227: imagescale out-of-bounds read
 [2016-05-24 23:30 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-05-25 00:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a1aac3343af85b4af4df5f8844946eaa27394ab
Log: Fixed bug #72227: imagescale out-of-bounds read
 [2016-05-25 03:51 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a1aac3343af85b4af4df5f8844946eaa27394ab
Log: Fixed bug #72227: imagescale out-of-bounds read
 [2016-05-25 03:52 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a1aac3343af85b4af4df5f8844946eaa27394ab
Log: Fixed bug #72227: imagescale out-of-bounds read
 [2016-05-25 03:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a1aac3343af85b4af4df5f8844946eaa27394ab
Log: Fixed bug #72227: imagescale out-of-bounds read
 [2016-05-26 21:04 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2013-7456
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC