[PHP-CVS] cvs: php-src(PHP_4_4) / NEWS /ext/gd config.m4 gd.dsp /ext/gd/libgd gd_security.c gdhelpers.h wbmp.c /ext/gd/tests createfromwbmp2.phpt

[Pierre-Alain Joye]

pajoye          Sat Mar 10 13:06:38 2007 UTC

  Added files:                 (Branch: PHP_4_4)
    /php-src/ext/gd/libgd       gd_security.c 
    /php-src/ext/gd/tests       createfromwbmp2.phpt 

  Modified files:              
    /php-src    NEWS 
    /php-src/ext/gd/libgd       gdhelpers.h wbmp.c 
    /php-src/ext/gd     config.m4 gd.dsp 
  Log:
  - MFH: CVE-2007-1001, integer overflow with invalid wbmp images
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.203&r2=1.1247.2.920.2.204&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.203 php-src/NEWS:1.1247.2.920.2.204
--- php-src/NEWS:1.1247.2.920.2.203     Fri Mar  9 10:29:33 2007
+++ php-src/NEWS        Sat Mar 10 13:06:37 2007
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2007, Version 4.4.7
+- Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
 - Fixed bug #40747 (possible crash in session when save_path is out of 
   open_basedir). (Tony)
 
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gdhelpers.h?r1=1.2.2.3&r2=1.2.2.3.4.1&diff_format=u
Index: php-src/ext/gd/libgd/gdhelpers.h
diff -u php-src/ext/gd/libgd/gdhelpers.h:1.2.2.3 
php-src/ext/gd/libgd/gdhelpers.h:1.2.2.3.4.1
--- php-src/ext/gd/libgd/gdhelpers.h:1.2.2.3    Thu Dec 25 22:33:03 2003
+++ php-src/ext/gd/libgd/gdhelpers.h    Sat Mar 10 13:06:37 2007
@@ -21,6 +21,13 @@
 #define gdPFree(ptr)           pefree(ptr, 1)
 #define gdPEstrdup(ptr)                pestrdup(ptr, 1)
 
+/* Returns nonzero if multiplying the two quantities will
+       result in integer overflow. Also returns nonzero if 
+       either quantity is negative. By Phil Knirsch based on
+       netpbm fixes by Alan Cox. */
+
+int overflow2(int a, int b);
+
 #ifdef ZTS
 #define gdMutexDeclare(x) MUTEX_T x
 #define gdMutexSetup(x) x = tsrm_mutex_alloc()
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1&diff_format=u
Index: php-src/ext/gd/libgd/wbmp.c
diff -u php-src/ext/gd/libgd/wbmp.c:1.2.4.1 
php-src/ext/gd/libgd/wbmp.c:1.2.4.1.8.1
--- php-src/ext/gd/libgd/wbmp.c:1.2.4.1 Fri Apr 25 00:59:03 2003
+++ php-src/ext/gd/libgd/wbmp.c Sat Mar 10 13:06:37 2007
@@ -116,6 +116,15 @@
   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
     return (NULL);
 
+  if (overflow2(sizeof (int), width)) {
+    gdFree(wbmp);
+    return NULL;
+  }
+  if (overflow2(sizeof (int) * width, height)) {
+    gdFree(wbmp);
+    return NULL;
+  }
+
   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), (width * height), 0)) 
== NULL)
     {
       gdFree (wbmp);
@@ -176,6 +185,13 @@
   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
 #endif
 
+  if (overflow2(sizeof (int), wbmp->width) ||
+    overflow2(sizeof (int) * wbmp->width, wbmp->height))
+    {
+      gdFree(wbmp);
+      return (-1);
+    }
+
   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), (wbmp->width * 
wbmp->height), 0)) == NULL)
     {
       gdFree (wbmp);
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/config.m4?r1=1.120.2.25&r2=1.120.2.25.2.1&diff_format=u
Index: php-src/ext/gd/config.m4
diff -u php-src/ext/gd/config.m4:1.120.2.25 
php-src/ext/gd/config.m4:1.120.2.25.2.1
--- php-src/ext/gd/config.m4:1.120.2.25 Tue May 17 12:23:09 2005
+++ php-src/ext/gd/config.m4    Sat Mar 10 13:06:37 2007
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: config.m4,v 1.120.2.25 2005/05/17 12:23:09 tony2001 Exp $
+dnl $Id: config.m4,v 1.120.2.25.2.1 2007/03/10 13:06:37 pajoye Exp $
 dnl
 
 dnl
@@ -273,7 +273,7 @@
                  libgd/gdxpm.c libgd/gdfontt.c libgd/gdfonts.c 
libgd/gdfontmb.c libgd/gdfontl.c \
                  libgd/gdfontg.c libgd/gdtables.c libgd/gdft.c libgd/gdcache.c 
libgd/gdkanji.c \
                  libgd/wbmp.c libgd/gd_wbmp.c libgd/gdhelpers.c 
libgd/gd_topal.c libgd/gd_gif_in.c \
-                 libgd/xbm.c libgd/gd_gif_out.c "
+                 libgd/xbm.c libgd/gd_gif_out.c libgd/gd_security.c"
 
 dnl check for fabsf and floorf which are available since C99
   AC_CHECK_FUNCS(fabsf floorf)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.dsp?r1=1.9.2.8&r2=1.9.2.8.2.1&diff_format=u
Index: php-src/ext/gd/gd.dsp
diff -u php-src/ext/gd/gd.dsp:1.9.2.8 php-src/ext/gd/gd.dsp:1.9.2.8.2.1
--- php-src/ext/gd/gd.dsp:1.9.2.8       Fri Jul 23 02:43:10 2004
+++ php-src/ext/gd/gd.dsp       Sat Mar 10 13:06:37 2007
@@ -104,6 +104,10 @@
 # End Source File
 # Begin Source File
 
+SOURCE=.\gd_security.c
+# End Source File
+# Begin Source File
+
 SOURCE=.\gdttf.c
 # End Source File
 # End Group

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_security.c?view=markup&rev=1.1
Index: php-src/ext/gd/libgd/gd_security.c
+++ php-src/ext/gd/libgd/gd_security.c
/*
   * gd_security.c
   *
   * Implements buffer overflow check routines.
   *
   * Written 2004, Phil Knirsch.
   * Based on netpbm fixes by Alan Cox.
   *
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include "gd.h"

int overflow2(int a, int b)
{
        if(a < 0 || b < 0) {
                php_gd_error("gd warning: one parameter to a memory allocation 
multiplication is negative, failing operation gracefully\n");
                return 1;
        }
        if(b == 0)
                return 0;
        if(a > INT_MAX / b) {
                php_gd_error("gd warning: product of memory allocation 
multiplication would exceed INT_MAX, failing operation gracefully\n");
                return 1;
        }
        return 0;
}

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/createfromwbmp2.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/createfromwbmp2.phpt
+++ php-src/ext/gd/tests/createfromwbmp2.phpt
--TEST--
imagecreatefromwbmp with invalid wbmp
--SKIPIF--
<?php
        if (!function_exists('imagecreatefromwbmp')) die("skip gd extension not 
available\n");
?>
--FILE--
<?php
$filename = dirname(__FILE__) . '/_tmp.wbmp';
$fp = fopen($filename,"wb");
if (!$fp) {
        exit("Failed to create <$filename>");
}

//write header
$c = 0;
fputs($fp, chr($c), 1);
fputs($fp, $c, 1);

//write width = 2^32 / 4 + 1
$c = 0x84;
fputs($fp, chr($c), 1);
$c = 0x80;
fputs($fp, chr($c), 1);
fputs($fp, chr($c), 1);
fputs($fp, chr($c), 1);
$c = 0x01;
fputs($fp, chr($c), 1);

/*write height = 4*/
$c = 0x04;
fputs($fp, chr($c), 1);

/*write some data to cause overflow*/
for ($i=0; $i<10000; $i++) {
        fwrite($fp, chr($c), 1);
}

fclose($fp);
$im = imagecreatefromwbmp($filename);
unlink($filename);
?>
--EXPECTF--
Warning: imagecreatefromwbmp(): gd warning: product of memory allocation 
multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagecreatefromwbmp(): '%s' is not a valid WBMP file in %s on line %d 

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php