php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77479 imagewbmp() segfaults with very large images
Submitted: 2019-01-17 12:58 UTC Modified: 2019-01-18 20:05 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.1Git-2019-01-17 (Git) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2019-01-17 12:58 UTC] cmb@php.net 
Description:
------------
If very large images (i.e. >= 256 megapixels) are passed to
imagewbmp(), the function causes a segfault since createwbmp()[1]
fails, but gdImageWBMPCtx() continues after raising an error[2].
This issue does not affect upstream libgd, where this issue has
been fixed long ago with commit 46fd625[3].

It seems to me that this is a low security issue (maybe even no
security issue at all), since it makes no sense to have such large
WBMP images at all, and usually PHP's memory_limit is set low
enough to prevent to allocate such large images at all.

[1] <https://github.com/php/php-src/blob/php-7.1.26/ext/gd/libgd/wbmp.c#L110-L140>
[2] <https://github.com/php/php-src/blob/php-7.1.26/ext/gd/libgd/gd_wbmp.c#L100-L102>
[3] <https://github.com/libgd/libgd/commit/46fd62585ecbced255193cd5fe964bc44eb137de>

Test script:
---------------
<?php
$im = imagecreate(40000, 20000);
imagecolorallocate($im, 0, 0, 0);
imagewbmp($im, __DIR__ . '/wbmp.wbmp');
echo "DONE\n";

Expected result:
----------------
Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagewbmp(): Could not create WBMP in %s on line %d
DONE

Actual result:
--------------
Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagewbmp(): Could not create WBMP in %s on line %d
Segmentation fault (core dumped)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-17 13:09 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-01-17 13:15 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2019-01-17 13:15 UTC] cmb@php.net 
<https://gist.github.com/cmb69/67e7e1658e1fb434452e96b377e7da54>
fixes the issue.

Stas, please assess whether this ticket has to kept private; if
not, please assign to me.
 [2019-01-18 02:20 UTC] pajoye@php.net 
thanks for the cath up, I must have missed this merge back then.

Afair we consider DDOS as security issue while 256M pixels will require quite some network to achieve it :)
 [2019-01-18 13:53 UTC] cmb@php.net 
To clarify: the segfault occurs *before* imagewbmp() outputs
anything.

Also, I have some doubts that imagewbmp() is actually still in use
anywhere, since it only makes sense for ancient devices (for
somewhat contemporary devices PNG is way better, and even GIF is
still superior).
 [2019-01-18 20:05 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2019-01-18 20:05 UTC] stas@php.net 
Doesn't look like security issue - requires explicit user action with specially crafted parameters to trigger the problem.
 [2019-01-19 09:19 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44fa0b0f311beee4bfcbdb954d61f0c9a8395a96
Log: Fix #77479: imagewbmp() segfaults with very large images
 [2019-01-19 09:19 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 20:01:30 2024 UTC