2139280 – (CVE-2022-31630) CVE-2022-31630 php: OOB read due to insufficient input validation in imageloadfont()

Bug 2139280 (CVE-2022-31630) - CVE-2022-31630 php: OOB read due to insufficient input validation in imageloadfont()

Summary: CVE-2022-31630 php: OOB read due to insufficient input validation in imageloa...

Keywords:
Status:	NEW
Alias:	CVE-2022-31630
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2139281 2139285 2139286 2139287 2139288 2161668 2161669
Blocks:	2138925
TreeView+	depends on / blocked

Reported:	2022-11-02 04:51 UTC by TEJ RATHI
Modified:	2023-03-17 17:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:	php 7.4.33
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds read flaw was found in PHP due to insufficient input validation in the imageloadfont() function. This flaw allows a remote attacker to pass specially crafted data to the web application, trigger an out-of-bounds read error, and read the contents of memory on the system.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0848	0	None	None	None	2023-02-21 09:31:12 UTC
Red Hat Product Errata	RHSA-2023:0965	0	None	None	None	2023-02-28 08:20:42 UTC

Description TEJ RATHI 2022-11-02 04:51:58 UTC

It is possible to construct font files supposed to be loaded by imageloadfont() which trigger OOB reads if the fonts are actually accessed (e.g. by imagechar()).  The given test scripts exploits that by triggering the assignment of a zero byte memory allocation to gdFont.data (which is happily accepted by imageloadfont()), and to read beyond this "buffer" when calling imagechar(). So if an application allows to upload arbitrary font files and working with these, it is likely vulnerable.

References:
https://www.php.net/ChangeLog-8.php#8.0.25
https://bugs.php.net/bug.php?id=81739

Comment 1 TEJ RATHI 2022-11-02 04:52:11 UTC

Created php tracking bugs for this issue:

Affects: fedora-all [bug 2139281]

Comment 4 errata-xmlrpc 2023-02-21 09:31:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0848 https://access.redhat.com/errata/RHSA-2023:0848

Comment 5 errata-xmlrpc 2023-02-28 08:20:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0965 https://access.redhat.com/errata/RHSA-2023:0965

Note You need to log in before you can comment on or make changes to this bug.