php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77973 Uninitialized read in gdImageCreateFromXbm
Submitted: 2019-05-05 10:29 UTC Modified: 2019-06-21 00:18 UTC
From: chamal dot desilva at gmail dot com Assigned: stas (profile)
Status: Closed Package: GD related
PHP Version: 7.1.29 OS: Windows, Linux
Private report: No CVE-ID: 2019-11038
 [2019-05-05 10:29 UTC] chamal dot desilva at gmail dot com
Description:
------------
Versions
--------
PHP 8.0.0-dev - Latest code
PHP 7.3.5 - Stable

Configure Line
--------------
Latest Code from Git-
./configure --prefix=/dir_name/install --enable-gd --enable-cli --enable-debug --without-pear

PHP stable version 7.3.5 -
./configure --prefix=/dir_name/install --with-gd --enable-cli --enable-debug --without-pear

Reproduce Steps
---------------
1. Save test script as xbm.php
   Then execute these commands.
2. export ZEND_DONT_UNLOAD_MODULES=1
3. export USE_ZEND_ALLOC=0
4. valgrind ./php xbm.php



Test script:
---------------
<?php
$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
$filepath = dirname(__FILE__).DIRECTORY_SEPARATOR."test.xbm";
file_put_contents($filepath, $contents);
$xbm = imagecreatefromxbm($filepath);
?>


Actual result:
--------------
Valgrind
--------
Line numbers are from PHP version 7.3.5

==27902== Conditional jump or move depends on uninitialised value(s)
==27902==    at 0x4B12F5: php_gd_gdImageSetPixel (gd.c:766)
==27902==    by 0x4C45C4: php_gd_gdImageCreateFromXbm (gd_xbm.c:141)
==27902==    by 0x4A845F: _php_image_create_from (gd.c:2463)
==27902==    by 0x4A85E5: zif_imagecreatefromxbm (gd.c:2527)
==27902==    by 0x80E61C: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690)
==27902==    by 0x87BA0F: execute_ex (zend_vm_execute.h:55465)
==27902==    by 0x88107D: zend_execute (zend_vm_execute.h:60881)
==27902==    by 0x7A599E: zend_execute_scripts (zend.c:1568)
==27902==    by 0x70B0C3: php_execute_script (main.c:2630)
==27902==    by 0x883DD2: do_cli (php_cli.c:997)
==27902==    by 0x884F49: main (php_cli.c:1389)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-05 10:32 UTC] chamal dot desilva at gmail dot com
Cause of Bug
-------------
Description
------------
This bug is present in gdImageCreateFromXbm method of ext/gd/libgd/gd_xbm.c file.
This method contains below mentioned lines.

...
unsigned int b;
...
sscanf(h, "%x", &b);
		for (bit = 1; bit <= max_bit; bit = bit << 1) {
			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
...

So when sscanf method is not able to read a hex value, "b" variable will contain uninitialized data.
 [2019-05-06 00:51 UTC] stas@php.net
-Assigned To: +Assigned To: cmb
 [2019-05-06 00:52 UTC] stas@php.net
-Status: Assigned +Status: Feedback
 [2019-05-06 00:52 UTC] stas@php.net
Not sure why is this security issue. So it gets random value, where's security problem in that?
 [2019-05-06 05:28 UTC] chamal dot desilva at gmail dot com
-Status: Feedback +Status: Assigned
 [2019-05-06 05:28 UTC] chamal dot desilva at gmail dot com
My understanding is an uninitialized variable in a method can contain data which is present in stack memory. Sometimes this may lead to unintended information disclosure. But I am not sure.

This document has some information on uninitialized variables.
https://cwe.mitre.org/data/definitions/457.html - (Use of Uninitialized Variable)
 [2019-05-06 08:31 UTC] cmb@php.net
-Status: Assigned +Status: Analyzed -PHP Version: 7.3.5 +PHP Version: 7.1
 [2019-05-06 08:31 UTC] cmb@php.net
Thanks for reporting this issue!  I can confirm the bug, which
affects our bundled libgd as well as upstream libgd.

Since a common pattern is to read a user supplied image file and
to output the image afterwards, there is the potential of
information disclosure, namely that up to 16 bits can be read from
the stack, which are encoded in the resulting image.  However,
this can only happen when imagecreatefromxbm() is called
(imagecreatefromstring() cannot read XBM images), which appears to
be pretty uncommon.  Not sure if we need a CVE therefore.

Anyhow, the fix is straight forward:
<https://gist.github.com/cmb69/2626f1f03df7fb87411238be70ae8995>.
 [2019-05-26 09:39 UTC] cmb@php.net
-Assigned To: cmb +Assigned To: stas
 [2019-05-26 09:39 UTC] cmb@php.net
Stas, please apply the fix for the next GA releases.
 [2019-05-27 23:13 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11038
 [2019-05-27 23:48 UTC] stas@php.net
-PHP Version: 7.1 +PHP Version: 7.1.29
 [2019-05-27 23:49 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
Log: Fix #77973: Uninitialized read in gdImageCreateFromXbm
 [2019-05-27 23:49 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-05-27 23:49 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
Log: Fix #77973: Uninitialized read in gdImageCreateFromXbm
 [2019-05-28 07:07 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=903b1828dcd68f7cf8b9177a3fe6f481bf627ba9
Log: Fix #77973: Uninitialized read in gdImageCreateFromXbm
 [2019-06-12 01:10 UTC] chamal dot desilva at gmail dot com
CVE-ID (2019-11038) for this bug  is in reserved status.
Is it possible to make this CVE-ID public please?
 [2019-06-12 04:41 UTC] stas@php.net
Yes, sorry, I was extremely busy this week and didn't update the CVEs yet. I'd get to it in coming days.
 [2019-06-21 00:18 UTC] stas@php.net
Updated now.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Aug 23 08:01:26 2019 UTC