CVE-2015-8874: Stack consumption vulnerability in GD allows remote attackers to cause a denial of service via a crafted imagefilltoborder call

[oerdnj]

Seems like we missed this fix from PHP:

From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@sury.org>
Date: Fri, 20 May 2016 09:39:38 +0200
Subject: CVE-2015-8874

---
 src/gd.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/gd.c b/src/gd.c
index 300dfce..0603247 100644
--- a/src/gd.c
+++ b/src/gd.c
@@ -1938,6 +1938,17 @@ BGD_DECLARE(void) gdImageFillToBorder (gdImagePtr im, int x, int y, int border,
    restoreAlphaBleding = im->alphaBlendingFlag;
    im->alphaBlendingFlag = 0;

+   if (x >= im->sx) {
+       x = im->sx - 1;
+   } else if (x < 0) {
+       x = 0;
+   }
+   if (y >= im->sy) {
+       y = im->sy - 1;
+   } else if (y < 0) {
+       y = 0;
+   }
+   
    for (i = x; (i >= 0); i--) {
        if (gdImageGetPixel (im, i, y) == border) {
            break;

[oerdnj]

Applied in 3824101, but shame we couldn't fit this to 2.2.0 release.

[vapier]

i don't think it was posted here, so not sure how we were to see it ;)

https://bugs.php.net/bug.php?id=66387

[vapier]

ah, nm, looks like it was filed as issue #178 but the security aspect wasn't marked in there

[oerdnj]

Shame that PHP still keeps their own version of GD... (@pierrejoye ;))

[pierrejoye]

Not going to change but full sync :)

[cmb69]

@pierrejoye @vapier At least we should try our best to cooperate as closely as possible, i.e. reporting issues back and forth between the projects. 😄 For instance, I just noticed by change that this bug has been assigned a CVE (already mailed security at php).

[pierrejoye]

Thanks :)

However I am not totally sure it needs a CVE. But better more than none.

I also marked it on php as non security bug. :)