Home Original page

Buffer over-read into uninitialized memory

Sec Bug #74435 Buffer over-read into uninitialized memory
Submitted: 2017-04-13 16:34 UTC Modified: 2017-07-05 04:12 UTC
From: admin at replay dot gg Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.1.3 OS: All
Private report: No CVE-ID: 2017-7890

 [2017-04-13 16:34 UTC] admin at replay dot gg

Description:
------------
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be reached with a call to the imagecreatefromstring() function) uses constant-sized color tables of size 3 * 256, but does not zero-out these arrays before use.

An attacker could craft a GIF image with the smallest global color table of size 2, but have color data which indexes the max 256 possibly distinct colors. As a result, the decoded image will contain pixels who's RGB colors will represent whatever data was in the 762 non-initialized bytes from the color table (ColorMap array), which is on the stack.

If the image is then saved and can be accessed, the attacker can use the RGB values of the pixels in the image to read 762 bytes that were on the stack at the time the image was parsed. This could cause sensitive server data such as private keys to be read by the attacker.

If the decoded image is saved in a lossless PNG format, byte-perfect data recovery is trivial. If the decoded image is saved in the JPEG format with the standard 8x8 block DCT, the attacker could craft a GIF image with 16x16 solid-color blocks (to account for CbCr channel down-sampling) which would preserve the pixel data through the quantization process, and again allow for byte-perfect data recovery. 

Currently all websites and applications that rely on PHP's imagecreatefromstring() or imagecreatefromgif() function to decode and save GIF images are vulnerable to this bug.

The appropriate solution is to zero both ColorMap and localColorMap arrays before use.

This bug has been confirmed by the current maintainers of the official LibGD branch.

-----
Matviy Kotoniy

Test script:
---------------
GIF file with color table size set to 0 in the descriptor, and image data which indexes 256 different colors in the color table.

Expected result:
----------------
Error, or solid color for invalid color indexes

Actual result:
--------------
RGB color data representing ~700 bytes of uninitialized data above the current stack frame. http://i.imgur.com/OsT7HFP.jpg

Patches

fix-74435-php-7.0 (last revision 2017-06-20 14:47 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2017-04-13 16:37 UTC] admin at replay dot gg

An easy way to test the bug is to create a gradient GIF image with 256 different colors, and then hex edit the last 3 bits of the logical screen descriptor to zero. Process and save the image using the vulnerable function, and you'll see the stack data in the saved image.

 [2017-04-16 13:50 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

 [2017-04-16 13:50 UTC] cmb@php.net

Thanks for reporting this issue also here! I'll prepare a patch
for PHP's bundled libgd ASAP.

However, it would be best to release the patch for external libgd
and the bundled libgd simultaneously, but unfortunately the
release of GD 2.2.4 has been delayed.

 [2017-04-17 16:02 UTC] admin at replay dot gg

The CVE for this has been assigned: CVE-2017-7890

 [2017-04-17 16:50 UTC] cmb@php.net

-CVE-ID: +CVE-ID: 2017-7890

 [2017-06-20 07:14 UTC] stas@php.net

Anything happened with this since April?

 [2017-06-20 14:49 UTC] cmb@php.net

I've provided a patch for PHP 7.0. I assume this should be fixed
in PHP 5.6 as well, though. Anyhow, I can't say when libgd 2.2.5
will be released, where this issue also has to be fixed.

 [2017-07-05 04:13 UTC] stas@php.net

-Status: Verified +Status: Closed