1359777 – php,gd: Out-of-bounds access in output function in gd_gif_out.c

Bug 1359777 - php,gd: Out-of-bounds access in output function in gd_gif_out.c

Summary: php,gd: Out-of-bounds access in output function in gd_gif_out.c

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1359837 1359839
Blocks:	1359830
TreeView+	depends on / blocked

Reported:	2016-07-25 12:40 UTC by Adam Mariš
Modified:	2019-09-29 13:53 UTC (History)
CC List:	18 users (show)
Fixed In Version:	php 5.5.38, php 5.6.24, php 7.0.9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-26 19:09:01 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-07-25 12:40:31 UTC

It was found that output function from gd_gif_out.c causes out-of-bounds access of the masks array when ctx->cur_bits becomes a negative number.

PHP bug:

https://bugs.php.net/bug.php?id=72519

PHP fix:

https://git.php.net/?p=php-src.git;a=blobdiff;f=ext/gd/libgd/gd_gif_out.c;h=0178dd9741dc4d9f0a956b99670a5838a2f7b22b;hp=14045385ab834abe2c3183f48a6a32dd3a2a19f2;hb=a48f64c403b05da244cfd30399bffd53e910a440;hpb=210222928e52b95827a0b5e4a987303233597f89

Comment 1 Adam Mariš 2016-07-25 14:11:44 UTC

Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1359839]

Comment 2 Adam Mariš 2016-07-25 14:11:55 UTC

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1359837]

Comment 3 Stefan Cornelius 2016-09-26 18:56:34 UTC

Out-of-bounds read of a global buffer. I can't see any real impact on security here.

Note You need to log in before you can comment on or make changes to this bug.