In function: resource imagerotate ( resource $image , float $angle , int $bgd_color [, int $ignore_transparent = 0 ] ) $bgd_color specifies the background color of an image. This is passed in as an integer that represents an index to the color palette. It was found that there is a lack of validation on $bgd_color. One can pass in a large number that exceeds the color palette array, which results in out-of-bounds memory read beyond the color palette. Information of the memory leak can then be obtained via the background color after the image has been rotated. Upstream patches: -> original fix https://github.com/php/php-src/commit/4bb422343f29f06b7081323844d9b52e1a71e4a5 -> improvement https://github.com/php/php-src/commit/2baeb167a08b0186a885208bdc8b5871f1681dc8 -> final correction, includes the reverse of the 2 above : https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4 Upstream bug (contains reproducer): https://bugs.php.net/bug.php?id=70976
Created php tracking bugs for this issue: Affects: fedora-all [bug 1297718]
This issue only affects PHP 5.5+ with bundled libgd >= 2.1 So it doesn't affects PHP 5.3 (RHEL-6) OR php 5.4 (RHEL-7)
Fix: https://github.com/php/php-src/commit/4bb422343f29f06b7081323844d9b52e1a71e4a5 https://github.com/php/php-src/commit/2baeb167a08b0186a885208bdc8b5871f1681dc8 https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html