Integer overflow error within _gdContributionsAlloc()

Sec Bug #72558	Integer overflow error within _gdContributionsAlloc()
Submitted:	2016-07-07 14:00 UTC	Modified:	2016-07-19 07:54 UTC
From:	cmb@php.net	Assigned:	stas (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.6.23	OS:	*
Private report:	No	CVE-ID:	2016-6207

[2016-07-07 14:00 UTC] cmb@php.net

Description:
------------
Secunia Research at Flexera Software has reported a vulnerability
in LibGD, which can be exploited by malicious people to cause a
DoS (Denial of Service). The vulnerability is caused due to an
integer overflow error within the "_gdContributionsAlloc()"
function (gd_interpolation.c) and can be exploited to cause an
out-of-bounds memory write access.

This DOS vulnerability would not actually affect PHP, if
memory_limit is set to a reasonable value. Nonetheless, the issue
should be fixed, of course.

A respective patch has already been provided for libgd and will be
deployed with libgd-2.2.3. The attached patch fixes this
vulnerability in PHP's bundled libgd, and should probably go into
PHP 5.6+.

There has not yet been assigned a CVE for this issue, but Secunia
Research might do that (not yet decided).

As I have prepared the patch in advance, the PHPT and the commit
message might have to be adapted to match the actual ticket
number.

Test script:
---------------
See the supplied PHPT in the attached patch.

Patches

fix-72558 (last revision 2016-07-07 14:00 UTC by cmb)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-07-07 15:05 UTC] pajoye@php.net

Should go in 5.5+

Also mainly causes ddos by either a crash under certain circumstances (out of bounds writes) but more likely an out of memory in case someone passes invalid inputs from the outside (see test).

[2016-07-08 10:59 UTC] cmb@php.net

I wanted to verify that the supplied patch can be applied to
PHP-5.5 without conflicts. It does, but the PHPT fails (because
there is no error/warning output). I've found that
imagesetinterpolation() apparently doesn't work before PHP 5.6,
and that `imagescale($im, 0x15555556, 1, IMG_BELL)` has to be used
instead. However, that causes a segfault. I'll investigate.

[2016-07-08 11:39 UTC] pajoye@php.net

I think it may be easier to release 2
2.3 and backport gd_interpolation.c altogether, adding the news entries for.what it fixes.

[2016-07-08 11:39 UTC] pajoye@php.net

I think it may be easier to release 2
2.3 and backport gd_interpolation.c altogether, adding the news entries for.what it fixes.

[2016-07-13 04:38 UTC] stas@php.net

-Assigned To: +Assigned To: pajoye

[2016-07-13 12:30 UTC] pajoye@php.net

I will upload an updated patch later once it has been validated by secunia.

Added cve # too

[2016-07-13 12:48 UTC] cmb@php.net

> I think it may be easier to release 2.2.3 and backport
> gd_interpolation.c altogether, […]

That would, however, not affect external libgd builds, and *might*
cause a segfault with PHP 5.5.

[2016-07-13 13:31 UTC] pajoye@php.net

I sent the patch to the secunia thread.

Only additiona are the two overflow checks before gdMalloc in th3 contrib parts.

If the patch ia applied (for 2.2.3) why external gd should be a problem? Same for 55.5 if RMs apply it

[2016-07-17 23:42 UTC] stas@php.net

Could you please send the patch to me too? Thanks.

[2016-07-18 07:18 UTC] stas@php.net

Fix in security repo as d1a491acf31cf6d2ba65cc7c46fe963a510cd91f

[2016-07-19 07:00 UTC] pajoye@php.net

-Assigned To: pajoye +Assigned To: stas

[2016-07-19 07:00 UTC] pajoye@php.net

@stas I let you merge from the security repository. Thanks for taking care of all these things :)

[2016-07-19 07:54 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-07-19 07:54 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.