|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-12 04:02 UTC] stas@php.net
-Status: Open
+Status: Feedback
[2016-09-12 04:02 UTC] stas@php.net
[2016-09-13 15:24 UTC] ab@php.net
-Status: Feedback
+Status: Analyzed
[2016-09-13 15:24 UTC] ab@php.net
[2016-09-13 16:54 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-09-13 16:54 UTC] stas@php.net
[2017-01-08 21:03 UTC] ab@php.net
-Status: Analyzed
+Status: Closed
-Assigned To:
+Assigned To: ab
[2017-01-08 21:03 UTC] ab@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat May 18 11:01:34 2024 UTC |
Description: ------------ The issue is triggered using imagepng however I believe it's not related to GD but to PHP file handling, run the attached script with USE_ZEND_ALLOC=0 Test script: --------------- <?php $v1=imagecreatetruecolor(2, 2); $v2=str_repeat("#", 0xdffffff); imagepng($v1,$v2); Expected result: ---------------- No crash Actual result: -------------- Output varies during execution, these are two common generated backtrace: Output 1 ====== (3cb0.28f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. Processing initial command 'r;!exploitable -v' This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SysWOW64\VCRUNTIME140.dll - VCRUNTIME140!memcpy+0x4e: 5eaed75e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 0:000:x86> r;!exploitable -v eax=4804a029 ebx=0e000009 ecx=0e000009 edx=0e000009 esi=3a04a020 edi=00000000 eip=5eaed75e esp=06f8d6d8 ebp=06f8dfcc iopl=0 nv up ei pl nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010203 VCRUNTIME140!memcpy+0x4e: 5eaed75e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SysWOW64\mswsock.dll - Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:5eaed75e rep movs byte ptr es:[edi],byte ptr [esi] Basic Block: 5eaed75e rep movs byte ptr es:[edi],byte ptr [esi] Tainted Input operands: 'ecx','edi','esi' 5eaed760 mov eax,dword ptr [esp+0ch] 5eaed764 pop esi 5eaed765 pop edi 5eaed766 ret Exception Hash (Major/Minor): 0x39a5c8d2.0xd5d2d785 Hash Usage : Stack Trace: Major+Minor : VCRUNTIME140!memcpy+0x4e Major+Minor : Unknown Major+Minor : Unknown Major+Minor : Unknown Major+Minor : mswsock!Tcpip4_WSHGetSockaddrType+0x1385 Minor : Unknown Minor : Unknown Minor : Unknown Minor : Unknown Minor : Unknown Minor : Unknown Minor : php7!`string'+0x0 Instruction Address: 0x000000005eaed75e Description: Possible Stack Corruption Short Description: PossibleStackCorruption Exploitability Classification: UNKNOWN Recommended Bug Title: Possible Stack Corruption starting at VCRUNTIME140!memcpy+0x000000000000004e (Hash=0x39a5c8d2.0xd5d2d785) The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption. 0:000:x86> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 06f8dfcc 2c037020 VCRUNTIME140!memcpy+0x4e 07132960 74206465 0x2c037020 07132964 706f206f 0x74206465 07132968 73206e65 0x706f206f 0713296c 61657274 mswsock!Tcpip4_WSHGetSockaddrType+0x1385 07132970 49203a6d 0x61657274 07132974 6c61766e 0x49203a6d 07132978 61206469 0x6c61766e 0713297c 6d756772 0x61206469 07132980 00746e65 0x6d756772 07132984 77be9420 0x746e65 07132988 00000000 php7!`string' Output 2 ====== Exception Hash (Major/Minor): 0xecbe5762.0x9db0e11d Hash Usage : Stack Trace: Major+Minor : VCRUNTIME140!memcpy+0x4e Major+Minor : Unknown Major+Minor : php7!php_error_docref1+0x18 Major+Minor : php7!php_stream_display_wrapper_errors+0x19b Major+Minor : php7!_php_stream_open_wrapper_ex+0x2f639e Minor : ucrtbase!malloc+0x2b Minor : php7!zval_copy_ctor_func+0x61 Minor : php7!zend_parse_arg_impl+0x2f7877 Minor : php7!zend_parse_va_args+0xdc Minor : php7!zif_str_repeat+0xb5 Minor : php7!execute_ex+0xfb Minor : php7!zend_execute+0x124 Minor : php7!zend_execute_scripts+0xe7 Minor : php7!php_execute_script+0x372 Minor : php!do_cli+0x3d3 Minor : php!main+0x2cb Minor : php!__scrt_common_main_seh+0xf9 Minor : KERNEL32!BaseThreadInitThunk+0x24 Excluded : ntdll_77600000!RtlInitializeExceptionChain+0x8f Excluded : ntdll_77600000!RtlInitializeExceptionChain+0x5a Instruction Address: 0x000000005eaed75e Description: Possible Stack Corruption Short Description: PossibleStackCorruption Exploitability Classification: UNKNOWN Recommended Bug Title: Possible Stack Corruption starting at VCRUNTIME140!memcpy+0x000000000000004e (Hash=0xecbe5762.0x9db0e11d) The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.