php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77479 imagewbmp() segfaults with very large images
Submitted: 2019-01-17 12:58 UTC Modified: 2019-01-18 20:05 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.1Git-2019-01-17 (Git) OS: *
Private report: No CVE-ID: None
 [2019-01-17 12:58 UTC] cmb@php.net
Description:
------------
If very large images (i.e. >= 256 megapixels) are passed to
imagewbmp(), the function causes a segfault since createwbmp()[1]
fails, but gdImageWBMPCtx() continues after raising an error[2].
This issue does not affect upstream libgd, where this issue has
been fixed long ago with commit 46fd625[3].

It seems to me that this is a low security issue (maybe even no
security issue at all), since it makes no sense to have such large
WBMP images at all, and usually PHP's memory_limit is set low
enough to prevent to allocate such large images at all.

[1] <https://github.com/php/php-src/blob/php-7.1.26/ext/gd/libgd/wbmp.c#L110-L140>
[2] <https://github.com/php/php-src/blob/php-7.1.26/ext/gd/libgd/gd_wbmp.c#L100-L102>
[3] <https://github.com/libgd/libgd/commit/46fd62585ecbced255193cd5fe964bc44eb137de>

Test script:
---------------
<?php
$im = imagecreate(40000, 20000);
imagecolorallocate($im, 0, 0, 0);
imagewbmp($im, __DIR__ . '/wbmp.wbmp');
echo "DONE\n";

Expected result:
----------------
Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagewbmp(): Could not create WBMP in %s on line %d
DONE

Actual result:
--------------
Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagewbmp(): Could not create WBMP in %s on line %d
Segmentation fault (core dumped)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-17 13:09 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-01-17 13:15 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2019-01-17 13:15 UTC] cmb@php.net
<https://gist.github.com/cmb69/67e7e1658e1fb434452e96b377e7da54>
fixes the issue.

Stas, please assess whether this ticket has to kept private; if
not, please assign to me.
 [2019-01-18 02:20 UTC] pajoye@php.net
thanks for the cath up, I must have missed this merge back then.

Afair we consider DDOS as security issue while 256M pixels will require quite some network to achieve it :)
 [2019-01-18 13:53 UTC] cmb@php.net
To clarify: the segfault occurs *before* imagewbmp() outputs
anything.

Also, I have some doubts that imagewbmp() is actually still in use
anywhere, since it only makes sense for ancient devices (for
somewhat contemporary devices PNG is way better, and even GIF is
still superior).
 [2019-01-18 20:05 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2019-01-18 20:05 UTC] stas@php.net
Doesn't look like security issue - requires explicit user action with specially crafted parameters to trigger the problem.
 [2019-01-19 09:19 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44fa0b0f311beee4bfcbdb954d61f0c9a8395a96
Log: Fix #77479: imagewbmp() segfaults with very large images
 [2019-01-19 09:19 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun May 26 21:01:26 2019 UTC