php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72558 Integer overflow error within _gdContributionsAlloc()
Submitted: 2016-07-07 14:00 UTC Modified: 2016-07-19 07:54 UTC
From: cmb@php.net Assigned: stas
Status: Closed Package: GD related
PHP Version: 5.6.23 OS: *
Private report: No CVE-ID: 2016-6207
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2016-07-07 14:00 UTC] cmb@php.net
Description:
------------
Secunia Research at Flexera Software has reported a vulnerability
in LibGD, which can be exploited by malicious people to cause a
DoS (Denial of Service). The vulnerability is caused due to an
integer overflow error within the "_gdContributionsAlloc()"
function (gd_interpolation.c) and can be exploited to cause an
out-of-bounds memory write access.

This DOS vulnerability would not actually affect PHP, if
memory_limit is set to a reasonable value. Nonetheless, the issue
should be fixed, of course.

A respective patch has already been provided for libgd and will be
deployed with libgd-2.2.3. The attached patch fixes this
vulnerability in PHP's bundled libgd, and should probably go into
PHP 5.6+.

There has not yet been assigned a CVE for this issue, but Secunia
Research might do that (not yet decided).

As I have prepared the patch in advance, the PHPT and the commit
message might have to be adapted to match the actual ticket
number.

Test script:
---------------
See the supplied PHPT in the attached patch.


Patches

fix-72558 (last revision 2016-07-07 14:00 UTC) by cmb)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-07 15:05 UTC] pajoye@php.net
Should go in 5.5+

Also mainly causes ddos by either a crash under certain circumstances (out of bounds writes) but more likely an out of memory in case someone passes invalid inputs from the outside (see test).
 [2016-07-08 10:59 UTC] cmb@php.net
I wanted to verify that the supplied patch can be applied to
PHP-5.5 without conflicts. It does, but the PHPT fails (because
there is no error/warning output). I've found that
imagesetinterpolation() apparently doesn't work before PHP 5.6,
and that `imagescale($im, 0x15555556, 1, IMG_BELL)` has to be used
instead. However, that causes a segfault. I'll investigate.
 [2016-07-08 11:39 UTC] pajoye@php.net
I think it may be easier to release 2
2.3 and backport gd_interpolation.c altogether, adding the news entries for.what it fixes.
 [2016-07-08 11:39 UTC] pajoye@php.net
I think it may be easier to release 2
2.3 and backport gd_interpolation.c altogether, adding the news entries for.what it fixes.
 [2016-07-13 04:38 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-07-13 12:30 UTC] pajoye@php.net
-CVE-ID: +CVE-ID: 2016-6207
 [2016-07-13 12:30 UTC] pajoye@php.net
I will upload an updated patch later once it has been validated by secunia.

Added cve # too
 [2016-07-13 12:48 UTC] cmb@php.net
> I think it may be easier to release 2.2.3 and backport
> gd_interpolation.c altogether, […]

That would, however, not affect external libgd builds, and *might*
cause a segfault with PHP 5.5.
 [2016-07-13 13:31 UTC] pajoye@php.net
I sent the patch to the secunia thread.

Only additiona are the two overflow checks before gdMalloc in th3 contrib parts.

If the patch ia applied (for 2.2.3) why external gd should be a problem? Same for 55.5 if RMs apply it
 [2016-07-17 23:42 UTC] stas@php.net
Could you please send the patch to me too? Thanks.
 [2016-07-18 07:18 UTC] stas@php.net
Fix in security repo as d1a491acf31cf6d2ba65cc7c46fe963a510cd91f
 [2016-07-19 07:00 UTC] pajoye@php.net
-Assigned To: pajoye +Assigned To: stas
 [2016-07-19 07:00 UTC] pajoye@php.net
@stas I let you merge from the security repository. Thanks for taking care of all these things :)
 [2016-07-19 07:54 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-07-19 07:54 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-07-19 08:51 UTC] pajoye@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df0951508920d3e8400c99d058fa213397b752f8
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-07-19 08:55 UTC] pajoye@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df0951508920d3e8400c99d058fa213397b752f8
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-07-19 08:57 UTC] stas@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75211491936ab23281e7d6d45a1fd78076571d0c
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-07-19 08:57 UTC] stas@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df0951508920d3e8400c99d058fa213397b752f8
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-07-19 08:58 UTC] stas@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75211491936ab23281e7d6d45a1fd78076571d0c
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-07-19 09:35 UTC] pajoye@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48e76abadd17a090259db77f3294d870fbc31ba5
Log: improve fix #72558, free contribRow as well
 [2016-07-19 09:36 UTC] pajoye@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48e76abadd17a090259db77f3294d870fbc31ba5
Log: improve fix #72558, free contribRow as well
 [2016-07-19 12:36 UTC] pajoye@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48e76abadd17a090259db77f3294d870fbc31ba5
Log: improve fix #72558, free contribRow as well
 [2016-07-19 17:59 UTC] ab@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc06543112c28680af5978b5fa63f987361a8d85
Log: improve fix #72558, free contribRow as well
 [2016-07-19 17:59 UTC] ab@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=522253bc9bb517dbd7782399c3bdaed1bbd92b8d
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-07-21 00:27 UTC] tyrael@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d57041cf2a273b6854e25e15a4261eb706a078bd
Log: improve fix #72558, free contribRow as well
 [2016-07-21 00:27 UTC] tyrael@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8fa9d1ce28f3a894b104979df30d0b65e0f21107
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48e76abadd17a090259db77f3294d870fbc31ba5
Log: improve fix #72558, free contribRow as well
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75211491936ab23281e7d6d45a1fd78076571d0c
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of pierre.php@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df0951508920d3e8400c99d058fa213397b752f8
Log: improve fix #72558, while (u>=0) with unsigned int will always be true
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC