PHP (IBB): imagegammacorrect allows arbitrary write access

2016-08-19T02:58:07
ID H1:161193
Type hackerone
Reporter fms
Modified 2019-10-13T18:15:54

Description

Upstream Bug

2016-08-02 03:46 UTC https://bugs.php.net/bug.php?id=72730

Summary

imagegammacorrect accepts two gamma values, if they don't have the same sign then the palette colors will be assigned values bigger than 0xFF, later this values are used to calculate the transparent color using the gdTrueColorAlpha macro, and a negative value will be assigned to the transparent color. This negative value is used as an index and allows writing an arbitrary null, similar to bug #72512

Patch

2016-08-10 07:16 UTC http://git.php.net/?p=php-src.git;a=commit;h=4d76676101f8814520ea988e42b3bda54eb9e255

Fixed for PHP 5.6.25, PHP 7.0.10

http://php.net/ChangeLog-5.php http://php.net/ChangeLog-7.php#7.0.10