php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #74435 Buffer over-read into uninitialized memory
Submitted: 2017-04-13 16:34 UTC Modified: 2017-07-05 04:12 UTC
From: admin at replay dot gg Assigned: cmb
Status: Closed Package: GD related
PHP Version: 7.1.3 OS: All
Private report: No CVE-ID: 2017-7890
 [2017-04-13 16:34 UTC] admin at replay dot gg
Description:
------------
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be reached with a call to the imagecreatefromstring() function) uses constant-sized color tables of size 3 * 256, but does not zero-out these arrays before use.

An attacker could craft a GIF image with the smallest global color table of size 2, but have color data which indexes the max 256 possibly distinct colors. As a result, the decoded image will contain pixels who's RGB colors will represent whatever data was in the 762 non-initialized bytes from the color table (ColorMap array), which is on the stack.

If the image is then saved and can be accessed, the attacker can use the RGB values of the pixels in the image to read 762 bytes that were on the stack at the time the image was parsed. This could cause sensitive server data such as private keys to be read by the attacker.

If the decoded image is saved in a lossless PNG format, byte-perfect data recovery is trivial. If the decoded image is saved in the JPEG format with the standard 8x8 block DCT, the attacker could craft a GIF image with 16x16 solid-color blocks (to account for CbCr channel down-sampling) which would preserve the pixel data through the quantization process, and again allow for byte-perfect data recovery. 

Currently all websites and applications that rely on PHP's imagecreatefromstring() or imagecreatefromgif() function to decode and save GIF images are vulnerable to this bug.

The appropriate solution is to zero both ColorMap and localColorMap arrays before use.

This bug has been confirmed by the current maintainers of the official LibGD branch.

-----
Matviy Kotoniy

Test script:
---------------
GIF file with color table size set to 0 in the descriptor, and image data which indexes 256 different colors in the color table.

Expected result:
----------------
Error, or solid color for invalid color indexes

Actual result:
--------------
RGB color data representing ~700 bytes of uninitialized data above the current stack frame. http://i.imgur.com/OsT7HFP.jpg

Patches

fix-74435-php-7.0 (last revision 2017-06-20 14:47 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-13 16:37 UTC] admin at replay dot gg
An easy way to test the bug is to create a gradient GIF image with 256 different colors, and then hex edit the last 3 bits of the logical screen descriptor to zero. Process and save the image using the vulnerable function, and you'll see the stack data in the saved image.
 [2017-04-16 13:50 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2017-04-16 13:50 UTC] cmb@php.net
Thanks for reporting this issue also here! I'll prepare a patch
for PHP's bundled libgd ASAP.

However, it would be best to release the patch for external libgd
and the bundled libgd simultaneously, but unfortunately the
release of GD 2.2.4 has been delayed.
 [2017-04-17 16:02 UTC] admin at replay dot gg
The CVE for this has been assigned: CVE-2017-7890
 [2017-04-17 16:50 UTC] cmb@php.net
-CVE-ID: +CVE-ID: 2017-7890
 [2017-06-20 07:14 UTC] stas@php.net
Anything happened with this since April?
 [2017-06-20 14:47 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-74435-php-7.0
Revision:   1497970038
URL:        https://bugs.php.net/patch-display.php?bug=74435&patch=fix-74435-php-7.0&revision=1497970038
 [2017-06-20 14:49 UTC] cmb@php.net
I've provided a patch for PHP 7.0. I assume this should be fixed
in PHP 5.6 as well, though. Anyhow, I can't say when libgd 2.2.5
will be released, where this issue also has to be fixed.
 [2017-07-05 04:13 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8dc4f4dc9e44d1cbfe4654aa6e0dc27c94913938
Log: Fix #74435: Buffer over-read into uninitialized memory
 [2017-07-05 04:13 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2017-07-05 04:23 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8dc4f4dc9e44d1cbfe4654aa6e0dc27c94913938
Log: Fix #74435: Buffer over-read into uninitialized memory
 [2017-07-06 06:44 UTC] krakjoe@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=018092125538782b25d3ab6b036f0c8d5968f757
Log: Fix #74435: Buffer over-read into uninitialized memory
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Jul 24 10:01:45 2017 UTC