libgd integer overflow

[YuanchengJiang]

Description

The following code:

<?php
$cls = new DOMImplementation();
$fusion = $GLOBALS;
$im = imagecreatetruecolor(640, 480);
imagefilledpolygon($im, $fusion, 0xFFFF00);

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46: runtime error: signed integer overflow: 2147430222 * 1510554573 cannot be represented in type 'int'
    #0 0x1893b57 in php_gd_gdImageFilledPolygon /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46
    #1 0x1747297 in php_imagepolygon /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/gd.c:2875:4
    #2 0x17474c1 in zif_imagefilledpolygon /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/gd.c:2901:2
    #3 0x4f250e9 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1340:2
    #4 0x4a18b97 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58690:7
    #5 0x4a1ae1c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64342:2
    #6 0x57c5889 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #7 0x3fa5eca in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #8 0x3fa7008 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #9 0x57da79a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #10 0x57d4b7f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #11 0x741d4e004d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x741d4e004e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46 in 

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

68665d3cb5dcda5b966fc9edd577581be763ee63

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

68665d3

Operating System

No response

[devnexen]

after a quick check, seems to be a bundled gd issue (in need of backporting?), looking into it.

[devnexen]

Might not be the case, while newer version of libgd fix some few issues (e.g. at the underflow line, fix bad cast), it does not seem to prevent it. I m going to backport some of it and add checks.