Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Experiment Environment

CentOS 6.5

INSTALL & Configuration

tar -xvf php-5.1.6.tar.gz
cd php-5.1.6
./configure --with-gd

Problems in Installation & Configuration

How to trigger vulnerability

gcc -o poc poc.c
./sapi/cli/php poc.php


PHP <= 5.2.1 wbmp file handling integer overflow

PHP GD Extension WBMP File Integer Overflow Vulnerabilities misinterprete several symbols to html representation

PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow misses one poc file

Vulnerability Patch

Root Cause

There is an integer overflow in PHP in ext/gd/libgd/wbmp.c in the function readwbmp. If large enough values are specified for wbmp image height and/or width, so that width*height > 2^32, an integer overflow occurs on the following line:

if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height,
sizeof(int), 0)) == NULL)

causing the amount of memory allocated to be smaller than the amount of data to be read, subsequently causing buffer overflow (See the DoS PoC below).

Stack Trace



You can’t perform that action at this time.