php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72350 gdImageFillToBorder stack-overflow when invalid color is used
Submitted: 2016-06-06 19:58 UTC Modified: 2016-06-13 06:22 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Duplicate Package: GD related
PHP Version: 7.0.7 OS: *
Private report: No CVE-ID: None
 [2016-06-06 19:58 UTC] fernando at null-life dot com
Description:
------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is not truecolor.

Source code:
https://github.com/php/php-src/blob/master/ext/gd/libgd/gd.c#L1811

    if (y > 0) {
        lastBorder = 1;
        for (i = leftLimit; i <= rightLimit; i++) {
            int c = gdImageGetPixel(im, i, y - 1);
            if (lastBorder) {
                if ((c != border) && (c != color)) {
                    gdImageFillToBorder(im, i, y - 1, border, color);
                    lastBorder = 0;
                }
            } else if ((c == border) || (c == color)) {
                lastBorder = 1;
            }
        }
    }

    /* Below */
    if (y < ((im->sy) - 1)) {
        lastBorder = 1;
        for (i = leftLimit; i <= rightLimit; i++) {
            int c = gdImageGetPixel(im, i, y + 1);

            if (lastBorder) {
                if ((c != border) && (c != color)) {
                    gdImageFillToBorder(im, i, y + 1, border, color);
                    lastBorder = 0;
                }
            } else if ((c == border) || (c == color)) {
                lastBorder = 1;
            }
        }
    }
    im->alphaBlendingFlag = restoreAlphaBlending;
gdb -q --args /home/user/php-7.0/sapi/cli/php -n poc.php
Reading symbols from /home/user/php-7.0/sapi/cli/php...done.
(gdb) b gd.c:1811
Breakpoint 1 at 0x8176146: file /home/user/php-7.0/ext/gd/libgd/gd.c, line 1811.
(gdb) b gd.c:1829
Breakpoint 2 at 0x81761f2: file /home/user/php-7.0/ext/gd/libgd/gd.c, line 1829.
(gdb) r
Starting program: /home/user/php-7.0/sapi/cli/php -n poc.php

Breakpoint 2, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=0, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1829
1829                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) p c
$1 = 0
(gdb) c
Continuing.

Breakpoint 1, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=1, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1811
1811                                    if ((c != border) && (c != color)) {
(gdb) p c
$2 = 57         (different of color 313)
(gdb) c
Continuing.

Breakpoint 2, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=0, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1829
1829                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) p c
$3 = 57        (different of color 313)
(gdb) c
Continuing.

Breakpoint 1, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=1, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1811
1811                                    if ((c != border) && (c != color)) {
(gdb) p c
$4 = 57        (different of color 313)


This was fixed on libgd upstream:
https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e




Test script:
---------------
<?php
$img = imagecreate(10, 10);
imagefilltoborder($img, 0, 0, 1, 0x139);

Expected result:
----------------
No crash

Actual result:
--------------
user@Xenial32-2:~/crashes/fillborder$ /ramdisk/php-71/sapi/cli/php -n poc.php
ASAN:SIGSEGV
=================================================================
==5027==ERROR: AddressSanitizer: stack-overflow on address 0xff276ff0 (pc 0x085ee3f8 bp 0x1e4cdb90 sp 0xff276ff0 T0)
    #0 0x85ee3f7 in php_gd_gdImageSetPixel /home/user/php-7.1asan/ext/gd/libgd/gd.c:755
    #1 0xf266bfff  (<unknown module>)

SUMMARY: AddressSanitizer: stack-overflow /home/user/php-7.1asan/ext/gd/libgd/gd.c:755 php_gd_gdImageSetPixel
==5027==ABORTING
user@Xenial32-2:~/crashes/fillborder$ /ramdisk/php-71/sapi/cli/php -n poc.php
ASAN:SIGSEGV
=================================================================
==5771==ERROR: AddressSanitizer: stack-overflow on address 0xff758ff4 (pc 0x085ebfcf bp 0xfffffffc sp 0xff758ff0 T0)
    #0 0x85ebfce in gdImageTileApply /home/user/php-7.1asan/ext/gd/libgd/gd.c:869
    #1 0x85ebfce in php_gd_gdImageSetPixel /home/user/php-7.1asan/ext/gd/libgd/gd.c:749
    #2 0x85f7eae in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1788
    #3 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #4 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #5 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #6 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #7 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #8 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #9 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #10 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #11 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-06 20:53 UTC] stas@php.net
Seems to be libgd issue, please report upstream.
 [2016-06-07 04:48 UTC] pajoye@php.net
@Stas it is done the same way. Gd is bundled with some php specific behaviors so it is all good. Most contributOrson in Gd are in the core as well.

Only thing we do is to be sure to release sec fixes at the same time.
 [2016-06-07 04:51 UTC] pajoye@php.net
-Type: Security +Type: Bug
 [2016-06-07 04:51 UTC] pajoye@php.net
Also not a security issue.

See https://github.com/libgd/libgd/issues/215

Sync coming for next php releases.
 [2016-06-07 05:10 UTC] fernando at null-life dot com
I reported the original github issue. May I understand the judgement to consider it security relevant or not?

When you (gd) guys fixed this [1][2](also reported by me to PHP) considered it a security relevant fix and somebody requested a CVE (Debian I believe)

[1] https://github.com/libgd/libgd/issues/213 
[2] https://bugs.php.net/bug.php?id=66387

Both cause the same and occur because lack of validation of supplied values calling the function. This issue is not security relevant because...?
 [2016-06-07 12:51 UTC] pajoye@php.net
For one this bug is already public so making it private only for php helps little. :)

About the bug itself. It requires buggy code and local access. I am fine to have a CVE with a low level of severety, for clarity.
 [2016-06-07 12:51 UTC] pajoye@php.net
-Type: Bug +Type: Security
 [2016-06-12 22:56 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: +Assigned To: pajoye
 [2016-06-12 22:56 UTC] stas@php.net
Pierre, I assume you'll merge the patch for PHP embedded libgd?
 [2016-06-13 02:17 UTC] pajoye@php.net
-Assigned To: pajoye +Assigned To: ab
 [2016-06-13 02:17 UTC] pajoye@php.net
Yes and it is done already. 

I am not sure if I have access to 5.5 but 5.6+ has it already.

It was committed when we had issues with our boxes so mails did not make it along other hooks.

The commit: https://github.com/php/php-src/commit/6d3fa654b702c8762aa80ab795080f5c4464d677

It was public already that's why I committed directly. I also ask Anatol to merge it to 5.5 so it will get into the last release for this branch.
 [2016-06-13 06:22 UTC] ab@php.net
-Status: Assigned +Status: Duplicate
 [2016-06-13 06:22 UTC] ab@php.net
Merged the patch from bug #66387, so marking this one as duplicate.

Thanks.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC