[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/gd config.m4 config.w32 /ext/gd/libgd gd_security.c gdhelpers.h wbmp.c /ext/gd/tests createfromwbmp2.phpt

[Pierre-Alain Joye]

pajoye          Sat Mar 10 12:18:37 2007 UTC

  Added files:                 (Branch: PHP_5_2)
    /php-src/ext/gd/libgd       gd_security.c 
    /php-src/ext/gd/tests       createfromwbmp2.phpt 

  Modified files:              
    /php-src    NEWS 
    /php-src/ext/gd/libgd       wbmp.c gdhelpers.h 
    /php-src/ext/gd     config.m4 config.w32 
  Log:
  - MFH: CVE-2007-1001, integer overflow with invalid wbmp images
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.583&r2=1.2027.2.547.2.584&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.583 php-src/NEWS:1.2027.2.547.2.584
--- php-src/NEWS:1.2027.2.547.2.583     Sat Mar 10 01:13:19 2007
+++ php-src/NEWS        Sat Mar 10 12:18:36 2007
@@ -16,6 +16,7 @@
 - Added tidyNode::getParent() method (John, Nuno)
 - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
 - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
+- Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
 - Fixed bug #40764, line thickness not respected for horizontal and vertical 
   lines (Pierre)
 - Fixed bug #40754 (added substr() & substr_replace() overflow checks). (Ilia)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&diff_format=u
Index: php-src/ext/gd/libgd/wbmp.c
diff -u php-src/ext/gd/libgd/wbmp.c:1.5 php-src/ext/gd/libgd/wbmp.c:1.5.6.1
--- php-src/ext/gd/libgd/wbmp.c:1.5     Wed Dec 31 01:01:44 2003
+++ php-src/ext/gd/libgd/wbmp.c Sat Mar 10 12:18:36 2007
@@ -116,6 +116,15 @@
   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
     return (NULL);
 
+  if (overflow2(sizeof (int), width)) {
+    gdFree(wbmp);
+    return NULL;
+  }
+  if (overflow2(sizeof (int) * width, height)) {
+    gdFree(wbmp);
+    return NULL;
+  }
+
   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == 
NULL)
     {
       gdFree (wbmp);
@@ -176,7 +185,14 @@
   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
 #endif
 
-  if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, 
sizeof(int), 0)) == NULL)
+  if (overflow2(sizeof (int), wbmp->width) ||
+    overflow2(sizeof (int) * wbmp->width, wbmp->height))
+    {
+      gdFree(wbmp);
+      return (-1);
+    }
+
+  if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, 
sizeof(int), 0)) == NULL)
     {
       gdFree (wbmp);
       return (-1);
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gdhelpers.h?r1=1.8&r2=1.8.6.1&diff_format=u
Index: php-src/ext/gd/libgd/gdhelpers.h
diff -u php-src/ext/gd/libgd/gdhelpers.h:1.8 
php-src/ext/gd/libgd/gdhelpers.h:1.8.6.1
--- php-src/ext/gd/libgd/gdhelpers.h:1.8        Sun Dec 28 20:11:08 2003
+++ php-src/ext/gd/libgd/gdhelpers.h    Sat Mar 10 12:18:36 2007
@@ -21,6 +21,13 @@
 #define gdPFree(ptr)           pefree(ptr, 1)
 #define gdPEstrdup(ptr)                pestrdup(ptr, 1)
 
+/* Returns nonzero if multiplying the two quantities will
+       result in integer overflow. Also returns nonzero if 
+       either quantity is negative. By Phil Knirsch based on
+       netpbm fixes by Alan Cox. */
+
+int overflow2(int a, int b);
+
 #ifdef ZTS
 #define gdMutexDeclare(x) MUTEX_T x
 #define gdMutexSetup(x) x = tsrm_mutex_alloc()
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/config.m4?r1=1.154.2.1.2.1&r2=1.154.2.1.2.2&diff_format=u
Index: php-src/ext/gd/config.m4
diff -u php-src/ext/gd/config.m4:1.154.2.1.2.1 
php-src/ext/gd/config.m4:1.154.2.1.2.2
--- php-src/ext/gd/config.m4:1.154.2.1.2.1      Tue Dec 26 10:42:50 2006
+++ php-src/ext/gd/config.m4    Sat Mar 10 12:18:36 2007
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: config.m4,v 1.154.2.1.2.1 2006/12/26 10:42:50 pajoye Exp $
+dnl $Id: config.m4,v 1.154.2.1.2.2 2007/03/10 12:18:36 pajoye Exp $
 dnl
 
 dnl
@@ -298,7 +298,7 @@
                  libgd/gdxpm.c libgd/gdfontt.c libgd/gdfonts.c 
libgd/gdfontmb.c libgd/gdfontl.c \
                  libgd/gdfontg.c libgd/gdtables.c libgd/gdft.c libgd/gdcache.c 
libgd/gdkanji.c \
                  libgd/wbmp.c libgd/gd_wbmp.c libgd/gdhelpers.c 
libgd/gd_topal.c libgd/gd_gif_in.c \
-                 libgd/xbm.c libgd/gd_gif_out.c "
+                 libgd/xbm.c libgd/gd_gif_out.c libgd/gd_security.c"
 
 dnl check for fabsf and floorf which are available since C99
   AC_CHECK_FUNCS(fabsf floorf)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/config.w32?r1=1.10&r2=1.10.4.1&diff_format=u
Index: php-src/ext/gd/config.w32
diff -u php-src/ext/gd/config.w32:1.10 php-src/ext/gd/config.w32:1.10.4.1
--- php-src/ext/gd/config.w32:1.10      Sun Aug  7 21:00:28 2005
+++ php-src/ext/gd/config.w32   Sat Mar 10 12:18:36 2007
@@ -1,4 +1,4 @@
-// $Id: config.w32,v 1.10 2005/08/07 21:00:28 sniper Exp $
+// $Id: config.w32,v 1.10.4.1 2007/03/10 12:18:36 pajoye Exp $
 // vim:ft=javascript
 
 ARG_WITH("gd", "Bundled GD support", "yes,shared");
@@ -29,7 +29,7 @@
                        gdcache.c gdfontg.c gdfontl.c gdfontmb.c gdfonts.c 
gdfontt.c \
                        gdft.c gd_gd2.c gd_gd.c gd_gif_in.c gd_gif_out.c 
gdhelpers.c gd_io.c gd_io_dp.c \
                        gd_io_file.c gd_io_ss.c gd_jpeg.c gdkanji.c gd_png.c 
gd_ss.c \
-                       gdtables.c gd_topal.c gd_wbmp.c gdxpm.c wbmp.c xbm.c", 
"gd");
+                       gdtables.c gd_topal.c gd_wbmp.c gdxpm.c wbmp.c xbm.c 
gd_security.c", "gd");
                AC_DEFINE('HAVE_LIBGD', 1, 'GD support');
                ADD_FLAG("CFLAGS_GD", " \
 /D HAVE_GD_DYNAMIC_CTX_EX=1 \

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_security.c?view=markup&rev=1.1
Index: php-src/ext/gd/libgd/gd_security.c
+++ php-src/ext/gd/libgd/gd_security.c
/*
   * gd_security.c
   *
   * Implements buffer overflow check routines.
   *
   * Written 2004, Phil Knirsch.
   * Based on netpbm fixes by Alan Cox.
   *
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include "gd.h"

int overflow2(int a, int b)
{
        if(a < 0 || b < 0) {
                php_gd_error("gd warning: one parameter to a memory allocation 
multiplication is negative, failing operation gracefully\n");
                return 1;
        }
        if(b == 0)
                return 0;
        if(a > INT_MAX / b) {
                php_gd_error("gd warning: product of memory allocation 
multiplication would exceed INT_MAX, failing operation gracefully\n");
                return 1;
        }
        return 0;
}

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/createfromwbmp2.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/createfromwbmp2.phpt
+++ php-src/ext/gd/tests/createfromwbmp2.phpt
--TEST--
imagecreatefromwbmp with invalid wbmp
--SKIPIF--
<?php
        if (!function_exists('imagecreatefromwbmp')) die("skip gd extension not 
available\n");
?>
--FILE--
<?php
$filename = dirname(__FILE__) . '/_tmp.wbmp';
$fp = fopen($filename,"wb");
if (!$fp) {
        exit("Failed to create <$filename>");
}

//write header
$c = 0;
fputs($fp, chr($c), 1);
fputs($fp, $c, 1);

//write width = 2^32 / 4 + 1
$c = 0x84;
fputs($fp, chr($c), 1);
$c = 0x80;
fputs($fp, chr($c), 1);
fputs($fp, chr($c), 1);
fputs($fp, chr($c), 1);
$c = 0x01;
fputs($fp, chr($c), 1);

/*write height = 4*/
$c = 0x04;
fputs($fp, chr($c), 1);

/*write some data to cause overflow*/
for ($i=0; $i<10000; $i++) {
        fwrite($fp, chr($c), 1);
}

fclose($fp);
$im = imagecreatefromwbmp($filename);
unlink($filename);
?>
--EXPECTF--
Warning: imagecreatefromwbmp(): gd warning: product of memory allocation 
multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagecreatefromwbmp(): '%s' is not a valid WBMP file in %s on line %d 

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php