PHP (IBB): imagegammacorrect allows arbitrary write access

ID H1:161193
Type hackerone
Reporter fms
Modified 2019-10-13T18:15:54


Upstream Bug

2016-08-02 03:46 UTC


imagegammacorrect accepts two gamma values, if they don't have the same sign then the palette colors will be assigned values bigger than 0xFF, later this values are used to calculate the transparent color using the gdTrueColorAlpha macro, and a negative value will be assigned to the transparent color. This negative value is used as an index and allows writing an arbitrary null, similar to bug #72512


2016-08-10 07:16 UTC;a=commit;h=4d76676101f8814520ea988e42b3bda54eb9e255

Fixed for PHP 5.6.25, PHP 7.0.10