PHP :: Sec Bug #72696 :: imagefilltoborder stackoverflow on truecolor images

Sec Bug #72696	imagefilltoborder stackoverflow on truecolor images
Submitted:	2016-07-28 06:11 UTC	Modified:	2016-12-13 11:50 UTC
From:	fernando at null-life dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.6.27	OS:	*
Private report:	No	CVE-ID:	2016-9933

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-07-28 06:11 UTC] fernando at null-life dot com

Description:
------------
Description:
------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform.

This is not the same as bug #72350 but they are related.


GDB output
----------

gdb -q --args /home/operac/php-70-sinasan/sapi/cli/php -n poc.php
Reading symbols from /home/operac/php-70-sinasan/sapi/cli/php...done.
(gdb) b gd.c:1851
Breakpoint 1 at 0x54a354: gd.c:1851. (2 locations)
(gdb) b gd.c:1834
Breakpoint 2 at 0x54a287: gd.c:1834. (2 locations)
(gdb) r
Starting program: /home/operac/php-70-sinasan/sapi/cli/php -n poc.php


Breakpoint 1, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=0, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1851
1851                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) c
Continuing.

Breakpoint 2, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=1, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1834
1834                                            gdImageFillToBorder(im, i, y - 1, border, color);
(gdb) c
Continuing.

Breakpoint 1, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=0, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1851
1851                                            gdImageFillToBorder(im, i, y + 1, border, color);
(gdb) c
Continuing.

Breakpoint 2, php_gd_gdImageFillToBorder (im=0x7ffff2c77000, x=0, y=1, border=1, color=-2) at /home/operac/php-70-sinasan/ext/gd/libgd/gd.c:1834
1834                                            gdImageFillToBorder(im, i, y - 1, border, color);
(gdb) p/x color
$1 = 0xfffffffe

Test script:
---------------
<?php

$imgs = imagecreatetruecolor(10, 10);
imagefilltoborder($imgs, 0, 0, 1, 9223372036854775806);

Expected result:
----------------
No crash

Actual result:
--------------
operac@hp2:~/crashes/067b65f5-filltoborder$ sh run.sh 

ASAN:SIGSEGV
=================================================================
==5658==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd7b0bdf98 (pc 0x000000991208 bp 0x7ffd7b0be0e0 sp 0x7ffd7b0bdf98 T0)
    #0 0x991207 in php_gd_gdImageSetPixel /home/operac/php-70/ext/gd/libgd/gd.c:728
    #1 0x99cb00 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1810
    #2 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834
    #3 0x99dbfa in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1851
    #4 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834
    #5 0x99dbfa in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1851
    #6 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834
    #7 0x99dbfa in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1851
    #8 0x99d752 in php_gd_gdImageFillToBorder /home/operac/php-70/ext/gd/libgd/gd.c:1834

Patches

fix-72696 (last revision 2016-10-25 11:26 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-10 06:45 UTC] stas@php.net

-Assigned To: +Assigned To: pajoye

[2016-08-10 06:45 UTC] stas@php.net

Looks like bug in libgd, negative colors are not set but border fill relies on them to be set. Pierre, could you please take a look?

[2016-08-15 06:03 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2016-10-25 01:41 UTC] stas@php.net

-Assigned To: pajoye +Assigned To: cmb

[2016-10-25 11:26 UTC] cmb@php.net

The following patch has been added/updated:

Patch Name: fix-72696
Revision:   1477394767
URL:        https://bugs.php.net/patch-display.php?bug=72696&patch=fix-72696&revision=1477394767

[2016-10-25 11:26 UTC] cmb@php.net

Indeed, filling with negative color values will not necessarily
work. For example, color -2 means gdStyled, and if no style is
set, no pixel will be drawn[1]. However, even if a style has been
set, the color that will be drawn is not necessarily the color
that gdImageFillToBorder() expects to be drawn.

Anyhow, this issue has already been fixed in libgd 2.2.3[2], where
it doesn't have been recognized as security issue, so I'm not sure
whether it should be regarded as security issue for PHP, or rather
as a programmer error.

Either way, the attached patch solves the issue and should be
applied against PHP 5.6+.

[1] <https://github.com/php/php-src/blob/PHP-7.0.12/ext/gd/libgd/gd.c#L729-L732>
[2] <https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e>

[2016-10-30 21:32 UTC] stas@php.net

-PHP Version: 7.0.9 +PHP Version: 5.6.27

[2016-10-30 21:32 UTC] stas@php.net

The fix is in security repo as 863d37ea66d5c960db08d6f4a2cbd2518f0f80d1 and in https://gist.github.com/a3b8821719ca7d6e5386d735f4635cf1

please verify

[2016-12-12 12:32 UTC] kaplan@php.net

Fixed upstream in libgd 2.2.2, see https://libgd.github.io/release-2.2.2.html

[2016-12-12 12:36 UTC] kaplan@php.net

-Status: Assigned +Status: Closed

[2016-12-12 12:48 UTC] cmb@php.net

-Status: Closed +Status: Re-Opened

[2016-12-12 12:48 UTC] cmb@php.net

> Fixed upstream in libgd 2.2.2, see https://libgd.github.io/release-2.2.2.html

That is a closely related issue, but not the same as this ticket is about. CVE-2015-8874 has been reported for libgd[1] and PHP[2] and is resolved.

The fix for this issue has been released with libgd 2.2.3[3] (without CVE), but apparently it is not yet fixed in PHP's bundled libgd.

[1] <https://github.com/libgd/libgd/issues/213>
[2] <https://bugs.php.net/bug.php?id=72350>
[3] <https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e>

[2016-12-12 13:43 UTC] kaplan@php.net

The patch you've mentioned as not applied in PHP is already done for PHP 5.6.28 at https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1 (with an older part applied in https://github.com/php/php-src/commit/6d3fa654b702c8762aa80ab795080f5c4464d677 earlier this year).

[2016-12-12 13:49 UTC] cmb@php.net

-Status: Re-Opened +Status: Closed

[2016-12-12 13:49 UTC] cmb@php.net

Indeed, you're right. Thanks!

[2016-12-13 11:50 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2016-9933

[2016-12-13 11:50 UTC] kaplan@php.net

Use CVE-2016-9933. The scope of this CVE is only the missing "color < 0" test in older versions.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 20:01:29 2024 UTC