PHP :: Bug #72350 :: gdImageFillToBorder stack-overflow when invalid color is used

Bug #72350	gdImageFillToBorder stack-overflow when invalid color is used
Submitted:	2016-06-06 19:58 UTC	Modified:	2016-06-13 06:22 UTC
From:	fernando at null-life dot com	Assigned:	ab (profile)
Status:	Duplicate	Package:	GD related
PHP Version:	7.0.7	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 49 - 32 = ?
Subscribe to this entry?

[2016-06-06 19:58 UTC] fernando at null-life dot com

Description:
------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is not truecolor.

Source code:
https://github.com/php/php-src/blob/master/ext/gd/libgd/gd.c#L1811

    if (y > 0) {
        lastBorder = 1;
        for (i = leftLimit; i <= rightLimit; i++) {
            int c = gdImageGetPixel(im, i, y - 1);
            if (lastBorder) {
                if ((c != border) && (c != color)) {
                    gdImageFillToBorder(im, i, y - 1, border, color);
                    lastBorder = 0;
                }
            } else if ((c == border) || (c == color)) {
                lastBorder = 1;
            }
        }
    }

    /* Below */
    if (y < ((im->sy) - 1)) {
        lastBorder = 1;
        for (i = leftLimit; i <= rightLimit; i++) {
            int c = gdImageGetPixel(im, i, y + 1);

            if (lastBorder) {
                if ((c != border) && (c != color)) {
                    gdImageFillToBorder(im, i, y + 1, border, color);
                    lastBorder = 0;
                }
            } else if ((c == border) || (c == color)) {
                lastBorder = 1;
            }
        }
    }
    im->alphaBlendingFlag = restoreAlphaBlending;
gdb -q --args /home/user/php-7.0/sapi/cli/php -n poc.php
Reading symbols from /home/user/php-7.0/sapi/cli/php...done.
(gdb) b gd.c:1811
Breakpoint 1 at 0x8176146: file /home/user/php-7.0/ext/gd/libgd/gd.c, line 1811.
(gdb) b gd.c:1829
Breakpoint 2 at 0x81761f2: file /home/user/php-7.0/ext/gd/libgd/gd.c, line 1829.
(gdb) r
Starting program: /home/user/php-7.0/sapi/cli/php -n poc.php

Breakpoint 2, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=0, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1829
1829                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) p c
$1 = 0
(gdb) c
Continuing.

Breakpoint 1, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=1, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1811
1811                                    if ((c != border) && (c != color)) {
(gdb) p c
$2 = 57         (different of color 313)
(gdb) c
Continuing.

Breakpoint 2, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=0, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1829
1829                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) p c
$3 = 57        (different of color 313)
(gdb) c
Continuing.

Breakpoint 1, php_gd_gdImageFillToBorder (im=0xf5a6c000, x=0, y=1, border=1, color=313) at /home/user/php-7.0/ext/gd/libgd/gd.c:1811
1811                                    if ((c != border) && (c != color)) {
(gdb) p c
$4 = 57        (different of color 313)


This was fixed on libgd upstream:
https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e




Test script:
---------------
<?php
$img = imagecreate(10, 10);
imagefilltoborder($img, 0, 0, 1, 0x139);

Expected result:
----------------
No crash

Actual result:
--------------
user@Xenial32-2:~/crashes/fillborder$ /ramdisk/php-71/sapi/cli/php -n poc.php
ASAN:SIGSEGV
=================================================================
==5027==ERROR: AddressSanitizer: stack-overflow on address 0xff276ff0 (pc 0x085ee3f8 bp 0x1e4cdb90 sp 0xff276ff0 T0)
    #0 0x85ee3f7 in php_gd_gdImageSetPixel /home/user/php-7.1asan/ext/gd/libgd/gd.c:755
    #1 0xf266bfff  (<unknown module>)

SUMMARY: AddressSanitizer: stack-overflow /home/user/php-7.1asan/ext/gd/libgd/gd.c:755 php_gd_gdImageSetPixel
==5027==ABORTING
user@Xenial32-2:~/crashes/fillborder$ /ramdisk/php-71/sapi/cli/php -n poc.php
ASAN:SIGSEGV
=================================================================
==5771==ERROR: AddressSanitizer: stack-overflow on address 0xff758ff4 (pc 0x085ebfcf bp 0xfffffffc sp 0xff758ff0 T0)
    #0 0x85ebfce in gdImageTileApply /home/user/php-7.1asan/ext/gd/libgd/gd.c:869
    #1 0x85ebfce in php_gd_gdImageSetPixel /home/user/php-7.1asan/ext/gd/libgd/gd.c:749
    #2 0x85f7eae in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1788
    #3 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #4 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #5 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #6 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #7 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #8 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #9 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829
    #10 0x85f8e04 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1812
    #11 0x85f8f32 in php_gd_gdImageFillToBorder /home/user/php-7.1asan/ext/gd/libgd/gd.c:1829

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-06 20:53 UTC] stas@php.net

Seems to be libgd issue, please report upstream.

[2016-06-07 04:48 UTC] pajoye@php.net

@Stas it is done the same way. Gd is bundled with some php specific behaviors so it is all good. Most contributOrson in Gd are in the core as well.

Only thing we do is to be sure to release sec fixes at the same time.

[2016-06-07 04:51 UTC] pajoye@php.net

-Type: Security +Type: Bug

[2016-06-07 04:51 UTC] pajoye@php.net

Also not a security issue.

See https://github.com/libgd/libgd/issues/215

Sync coming for next php releases.

[2016-06-07 05:10 UTC] fernando at null-life dot com

I reported the original github issue. May I understand the judgement to consider it security relevant or not?

When you (gd) guys fixed this [1][2](also reported by me to PHP) considered it a security relevant fix and somebody requested a CVE (Debian I believe)

[1] https://github.com/libgd/libgd/issues/213 
[2] https://bugs.php.net/bug.php?id=66387

Both cause the same and occur because lack of validation of supplied values calling the function. This issue is not security relevant because...?

[2016-06-07 10:24 UTC] cmb@php.net

Related To: Bug #72045

[2016-06-07 12:51 UTC] pajoye@php.net

For one this bug is already public so making it private only for php helps little. :)

About the bug itself. It requires buggy code and local access. I am fine to have a CVE with a low level of severety, for clarity.

[2016-06-07 12:51 UTC] pajoye@php.net

-Type: Bug +Type: Security

[2016-06-12 22:56 UTC] stas@php.net

-Type: Security +Type: Bug -Assigned To: +Assigned To: pajoye

[2016-06-12 22:56 UTC] stas@php.net

Pierre, I assume you'll merge the patch for PHP embedded libgd?

[2016-06-13 02:17 UTC] pajoye@php.net

-Assigned To: pajoye +Assigned To: ab

[2016-06-13 02:17 UTC] pajoye@php.net

Yes and it is done already. 

I am not sure if I have access to 5.5 but 5.6+ has it already.

It was committed when we had issues with our boxes so mails did not make it along other hooks.

The commit: https://github.com/php/php-src/commit/6d3fa654b702c8762aa80ab795080f5c4464d677

It was public already that's why I committed directly. I also ask Anatol to merge it to 5.5 so it will get into the last release for this branch.

[2016-06-13 06:22 UTC] ab@php.net

-Status: Assigned +Status: Duplicate

[2016-06-13 06:22 UTC] ab@php.net

Merged the patch from bug #66387, so marking this one as duplicate.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 22:01:28 2024 UTC