|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76041 null pointer access crashed php
Submitted: 2018-03-02 02:38 UTC Modified: 2018-03-02 16:35 UTC
From: jianjia11010 at hotmail dot com Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.2.3 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
42 - 21 = ?
Subscribe to this entry?

 [2018-03-02 02:38 UTC] jianjia11010 at hotmail dot com
I've tested 7.1.x,7.0.x , it's ok. When php 7.2.x, it crashed.
The problem is when image resource created by imagecreate function which is not truecolor will treat as truecolor in gdImageSetAAPixelColor function when antialias option is on even 'im->tpixels' is null.

im->tpixels[y][x]=gdTrueColorAlpha(dr, dg, db,  gdAlphaOpaque);

Test script:

Expected result:
The php process crashed immediately.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-02 06:51 UTC]
-Type: Security +Type: Bug
 [2018-03-02 08:24 UTC] jianjia11010 at hotmail dot com
In theory, if someone set the parameter intentional to access some address contains a 
 vaild pointer to another writeable location, then the memory CAN BE OVERWRITTEN TO ANYTHING.
For example:
On a 32bit machine, Addr 0xC0F000=0x1F00000, Addr 0x1F00000 is writtable, then if do:

After then, the content of 0x1F00000 would be 0x12345678.
So, this bug does contain a security risk.
 [2018-03-02 14:02 UTC]
-Assigned To: +Assigned To: cmb
 [2018-03-02 16:35 UTC]
Thanks for reporting this issue!

The problem has been caused by switching to the libgd anti-aliased
drawing API[1], and as such only PHP 7.2.0 and higher are
affected. External libgd is *not* affected.

> So, this bug does contain a security risk.

Theoretically, yes, but not practically.  Usually, the bug would
cause a segfault, which would be noticed early by the developer.
As you have shown, there are scenarios which might be exploitable
if an attacker had that much control over the code, which is
pretty unlikely, considering that drawing anti-aliased lines on
palette images would be very uncommon.  See also our Security
Issue Classification document[2].

[1] <;a=commit;h=d0f14a4429e36d8cb70d14067e79fd252eb4ee7a>
[2] <>
 [2018-03-02 16:37 UTC]
Automatic comment on behalf of
Log: Fix #76041: null pointer access crashed php
 [2018-03-02 16:37 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 02:01:28 2024 UTC