|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81739 OOB read due to insufficient input validation in imageloadfont()
Submitted: 2022-10-12 16:13 UTC Modified: 2022-10-24 00:58 UTC
From: Assigned: stas (profile)
Status: Closed Package: GD related
PHP Version: 7.4Git-2022-10-12 (Git) OS: *
Private report: No CVE-ID: 2022-31630
 [2022-10-12 16:13 UTC]
It is possible to construct font files supposed to be loaded by
imageloadfont() which trigger OOB reads if the fonts are actually
accessed (e.g. by imagechar()).  The given test scripts exploits
that by triggering the assignment of a zero byte memory allocation
to (which is happily accepted by imageloadfont()), and
to read beyond this "buffer" when calling imagechar().

So if an application allows to upload arbitrary font files and
working with these, it is likely vulnerable.

Test script:

$s = fopen(__DIR__ . "/font.font", "w");
// header without character data
fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00");
$font = imageloadfont(__DIR__ . "/font.font");
$im = imagecreate(10, 10);
imagechar($im, $font, 0, 0, " ", imagecolorallocate($im, 255, 255, 255));

Actual result:
OOB read (not unlikely resulting in a segfault, but could be worse).


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2022-10-12 16:14 UTC]
-Assigned To: +Assigned To: cmb
 [2022-10-12 18:17 UTC]
-CVE-ID: +CVE-ID: needed
 [2022-10-18 10:17 UTC]
-Assigned To: cmb +Assigned To: stas
 [2022-10-18 10:17 UTC]
This issue has been introduced with commit 88b6037[1], so versions
prior to PHP 7.4.0 are not affected.  We could simply revert that
commit, but maybe it is better to duplicate the overflow check to
avoid confusion.

Suggested patch: <>.

When merging the test into PHP-8.1, please replace the --SKIPIF-- section with

[1] <>
 [2022-10-24 00:44 UTC]
-CVE-ID: needed +CVE-ID: 2022-31630
 [2022-10-24 00:58 UTC]
-Status: Assigned +Status: Closed
 [2022-10-24 00:58 UTC]
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from and re-test.
Thank you for the report, and for helping us make PHP better.

 [2023-08-29 01:04 UTC] tinocofa1220 at gmail dot com
The following pull request has been associated:

Patch Name: Generate correct links for <type> elements
On GitHub:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 23 04:01:29 2024 UTC