Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
poc.c
poc.php

README.md

CVE-2007-1001

Experiment Environment

CentOS 6.5

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-1001/php-5.1.6.tar.gz
tar -xvf php-5.1.6.tar.gz
cd php-5.1.6
./configure --with-gd
make

Problems in Installation & Configuration

How to trigger vulnerability

gcc -o poc poc.c
./poc
./sapi/cli/php poc.php

PoCs

PHP <= 5.2.1 wbmp file handling integer overflow

PHP GD Extension WBMP File Integer Overflow Vulnerabilities misinterprete several symbols to html representation

PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow misses one poc file

Vulnerability Patch

Root Cause

There is an integer overflow in PHP in ext/gd/libgd/wbmp.c in the function readwbmp. If large enough values are specified for wbmp image height and/or width, so that width*height > 2^32, an integer overflow occurs on the following line:

if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height,
sizeof(int), 0)) == NULL)

causing the amount of memory allocated to be smaller than the amount of data to be read, subsequently causing buffer overflow (See the DoS PoC below).

Stack Trace

Patch

References

You can’t perform that action at this time.