Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgd integer overflow #18241

Open
YuanchengJiang opened this issue Apr 4, 2025 · 2 comments · May be fixed by #18248
Open

libgd integer overflow #18241

YuanchengJiang opened this issue Apr 4, 2025 · 2 comments · May be fixed by #18248
Assignees
@devnexen
Labels
Bug Extension: gd Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$cls = new DOMImplementation();
$fusion = $GLOBALS;
$im = imagecreatetruecolor(640, 480);
imagefilledpolygon($im, $fusion, 0xFFFF00);

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46: runtime error: signed integer overflow: 2147430222 * 1510554573 cannot be represented in type 'int'
    #0 0x1893b57 in php_gd_gdImageFilledPolygon /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46
    #1 0x1747297 in php_imagepolygon /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/gd.c:2875:4
    #2 0x17474c1 in zif_imagefilledpolygon /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/gd.c:2901:2
    #3 0x4f250e9 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1340:2
    #4 0x4a18b97 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58690:7
    #5 0x4a1ae1c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64342:2
    #6 0x57c5889 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #7 0x3fa5eca in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #8 0x3fa7008 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #9 0x57da79a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #10 0x57d4b7f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #11 0x741d4e004d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x741d4e004e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46 in

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

68665d3cb5dcda5b966fc9edd577581be763ee63

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

68665d3

Operating System

No response
@devnexen devnexen self-assigned this Apr 4, 2025
@devnexen
Copy link
Member

devnexen commented Apr 4, 2025

after a quick check, seems to be a bundled gd issue (in need of backporting?), looking into it.

@devnexen
Copy link
Member

devnexen commented Apr 4, 2025

Might not be the case, while newer version of libgd fix some few issues (e.g. at the underflow line, fix bad cast), it does not seem to prevent it. I m going to backport some of it and add checks.

devnexen added a commit to devnexen/php-src that referenced this issue Apr 4, 2025
@devnexen
Fixed phpGH-18241: imagefilledpolygon underflow with poly coordinates.
9abb472 
backporting most of gdImageFilledPolygon except the array sort
"optimisation" and adding new checks, if relevant needs to be
upstreamed.
@devnexen devnexen linked a pull request Apr 4, 2025 that will close this issue
Fixed GH-18241: imagefilledpolygon underflow with poly coordinates. #18248
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devnexen devnexen

Labels
Bug Extension: gd Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed GH-18241: imagefilledpolygon underflow with poly coordinates. devnexen/php-src
2 participants
@devnexen @YuanchengJiang