php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76041 null pointer access crashed php
Submitted: 2018-03-02 02:38 UTC Modified: 2018-03-02 16:35 UTC
From: jianjia11010 at hotmail dot com Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.2.3 OS:
Private report: No CVE-ID: None
 [2018-03-02 02:38 UTC] jianjia11010 at hotmail dot com
Description:
------------
I've tested 7.1.x,7.0.x , it's ok. When php 7.2.x, it crashed.
The problem is when image resource created by imagecreate function which is not truecolor will treat as truecolor in gdImageSetAAPixelColor function when antialias option is on even 'im->tpixels' is null.

gd.c:1230:gdImageSetAAPixelColor:
im->tpixels[y][x]=gdTrueColorAlpha(dr, dg, db,  gdAlphaOpaque);

Test script:
---------------
<?php
$im=imagecreate(100,100);
imageantialias($im,true);
imageline($im,0,0,10,10,0xffffff);


Expected result:
----------------
The php process crashed immediately.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-02 06:51 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-03-02 08:24 UTC] jianjia11010 at hotmail dot com
In theory, if someone set the parameter intentional to access some address contains a 
 vaild pointer to another writeable location, then the memory CAN BE OVERWRITTEN TO ANYTHING.
For example:
On a 32bit machine, Addr 0xC0F000=0x1F00000, Addr 0x1F00000 is writtable, then if do:
imagecreate((0xC0F000>>2)+1),1);
imageantialias($im,true);
imageline($im,0,(0xC0F000>>2),0,(0xC0F000>>2),(int)0x12345678);

After then, the content of 0x1F00000 would be 0x12345678.
So, this bug does contain a security risk.
 [2018-03-02 14:02 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-03-02 16:35 UTC] cmb@php.net
Thanks for reporting this issue!

The problem has been caused by switching to the libgd anti-aliased
drawing API[1], and as such only PHP 7.2.0 and higher are
affected. External libgd is *not* affected.

> So, this bug does contain a security risk.

Theoretically, yes, but not practically.  Usually, the bug would
cause a segfault, which would be noticed early by the developer.
As you have shown, there are scenarios which might be exploitable
if an attacker had that much control over the code, which is
pretty unlikely, considering that drawing anti-aliased lines on
palette images would be very uncommon.  See also our Security
Issue Classification document[2].

[1] <http://git.php.net/?p=php-src.git;a=commit;h=d0f14a4429e36d8cb70d14067e79fd252eb4ee7a>
[2] <https://wiki.php.net/security>
 [2018-03-02 16:37 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d83467d70b9986ed3084c62fbbd07a0d8955951f
Log: Fix #76041: null pointer access crashed php
 [2018-03-02 16:37 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC