heap buffer overflow in gd.c

[chongwick]

Description

The following code:

<?php
$v_163231 = 36;
$v_163232 = 36;
$v_163233 = imagecreate($v_163231,$v_163232,);
$v_163280 = '2.00000000000001';
$v_163235 = 150;
$v_163236 = imagecreate($v_163280,$v_163235,);
$v_163237 = 255;
$v_163238 = 255;
$v_163239 = 255;
$v_163240 = imagecolorallocate($v_163233,$v_163237,$v_163238,$v_163239,);
$v_163241 = 0;
$v_163242 = 0;
$v_163243 = 0;
$v_163244 = imagecolorallocate($v_163233,$v_163241,$v_163242,$v_163243,);
$v_163245 = 255;
$v_163246 = 255;
$v_163247 = 255;
$v_163240 = imagecolorallocate($v_163236,$v_163245,$v_163246,$v_163247,);
$v_163249 = 0;
$v_163250 = 0;
$v_163251 = 0;
$v_163244 = imagecolorallocate($v_163236,$v_163249,$v_163250,$v_163251,);
for($x = 0;$x<36;$x+=2){
for($y = 0;$y<36;$y+=2){
$v_163255 = imagesetpixel($v_163233,$x,$y,$v_163244,);
}
}
$v_163256 = imagesettile($v_163236,$v_163233,);
$v_163257 = 9;
$v_163294 = '2';
$v_163259 = 139;
$v_163260 = 139;
$v_163261 = imagerectangle($v_163236,$v_163257,$v_163294,$v_163259,$v_163260,$v_163244,);
$v_163262 = 9;
$v_163263 = 9;
$v_163264 = 139;
$v_163325 = 2;
$v_163266 = imageline($v_163236,$v_163262,$v_163263,$v_163264,$v_163325,$v_163244,);
$v_163267 = 11;
$v_163268 = 12;
$v_163269 = IMG_COLOR_TILED;
$v_163270 = imagefill($v_163236,$v_163267,$v_163268,$v_163269,);

Resulted in this output:

Deprecated: Implicit conversion from float-string "2.00000000000001" to int loses precision in /home/36a85ccbd69916da9c44.php.er on line 7
=================================================================
==70==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000348be at pc 0x000001598a37 bp 0x7ffc50efdf40 sp 0x7ffc50efdf38
READ of size 1 at 0x6120000348be thread T0
    #0 0x1598a36 in php_gd__gdImageFillTiled /home/w023dtc/nightly_php/php-src/ext/gd/libgd/gd.c:2121:24
    #1 0x1592abc in php_gd_gdImageFill /home/w023dtc/nightly_php/php-src/ext/gd/libgd/gd.c:1999:3
    #2 0x143c9df in zif_imagefill /home/w023dtc/nightly_php/php-src/ext/gd/gd.c:2701:2
    #3 0x5ffc69f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1410:2
    #4 0x5b18433 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #5 0x5b1a9bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #6 0x689b019 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #7 0x507d5ba in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #8 0x507e6f8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #9 0x68aff2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #10 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #11 0x14b62a368d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x14b62a368e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x6061f4 in _start (/home/php+0x6061f4)

0x6120000348be is located 1362 bytes to the right of 300-byte region [0x612000034240,0x61200003436c)
allocated by thread T0 here:
    #0 0x6810bd in malloc (/home/php+0x6810bd)
    #1 0x56f1d03 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
    #2 0x56f0469 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
    #3 0x56f1f2b in _ecalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2847:6
    #4 0x159726f in php_gd__gdImageFillTiled /home/w023dtc/nightly_php/php-src/ext/gd/libgd/gd.c:2108:17
    #5 0x1592abc in php_gd_gdImageFill /home/w023dtc/nightly_php/php-src/ext/gd/libgd/gd.c:1999:3
    #6 0x143c9df in zif_imagefill /home/w023dtc/nightly_php/php-src/ext/gd/gd.c:2701:2
    #7 0x5ffc69f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1410:2
    #8 0x5b18433 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #9 0x5b1a9bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #10 0x689b019 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #11 0x507d5ba in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #12 0x507e6f8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #13 0x68aff2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #14 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #15 0x14b62a368d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/w023dtc/nightly_php/php-src/ext/gd/libgd/gd.c:2121:24 in php_gd__gdImageFillTiled
Shadow bytes around the buggy address:
  0x0c247fffe8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fffe910: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c247fffe920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==70==ABORTING

USE_ZEND_ALLOC=0

PHP Version

nightly

Operating System

ubuntu 22.04

[devnexen]

I can t reproduce on any branch, however on master I get this

sapi/cli/php a.php 

Deprecated: Implicit conversion from float-string "2.00000000000001" to int loses precision in /home/dcarlier/Contribs/php-src/a.php on line 7
[Sun Sep  7 21:41:14 2025]  Script:  '/home/dcarlier/Contribs/php-src/a.php'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1527537==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x755a4ad97ddd bp 0x7ffc5f8f3ed0 sp 0x7ffc5f8f3688 T0)
==1527537==The signal is caused by a READ memory access.
==1527537==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x755a4ad97ddd in __strlen_avx2 string/../sysdeps/x86_64/multiarch/strlen-avx2.S:76
    #1 0x57ef55821347 in strlen (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x3621347) (BuildId: 975e804c234ccad1a9a503498b1a6030d1eb2ab8)
    #2 0x57ef599b4aca in format_converter /home/dcarlier/Contribs/php-src/main/snprintf.c:816:15
    #3 0x57ef599ad71a in strx_printv /home/dcarlier/Contribs/php-src/main/snprintf.c:1066:7
    #4 0x57ef599adaae in ap_php_snprintf /home/dcarlier/Contribs/php-src/main/snprintf.c:1107:7
    #5 0x57ef598f8abf in php_message_handler_for_zend /home/dcarlier/Contribs/php-src/main/main.c:1740:6
    #6 0x57ef5b41459a in zend_message_dispatcher /home/dcarlier/Contribs/php-src/Zend/zend.c:1400:3
    #7 0x57ef59e8e5a2 in zend_mm_check_leaks /home/dcarlier/Contribs/php-src/Zend/zend_alloc.c:2384:8
    #8 0x57ef59e895c9 in zend_mm_shutdown /home/dcarlier/Contribs/php-src/Zend/zend_alloc.c:2494:4
    #9 0x57ef59e991b5 in shutdown_memory_manager /home/dcarlier/Contribs/php-src/Zend/zend_alloc.c:2985:2
    #10 0x57ef598ef49f in php_request_shutdown /home/dcarlier/Contribs/php-src/main/main.c:2017:3
    #11 0x57ef5b43a3ed in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1159:3
    #12 0x57ef5b431b11 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1363:18
    #13 0x755a4ac2a577 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x755a4ac2a63a in __libc_start_main csu/../csu/libc-start.c:360:3
    #15 0x57ef55807e74 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x3607e74) (BuildId: 975e804c234ccad1a9a503498b1a6030d1eb2ab8)

==1527537==Register values:
rax = 0x0000000000000101  rbx = 0x000000005f8f3e01  rcx = 0x0000715a47c800a0  rdx = 0x0101010101010101  
rdi = 0x0101010101010101  rsi = 0x0000715a47c800b0  rbp = 0x00007ffc5f8f3ed0  rsp = 0x00007ffc5f8f3688  
 r8 = 0x0000000000000000   r9 = 0x00007fffffffff01  r10 = 0x0000000000000001  r11 = 0x0000000000000201  
r12 = 0x0000000000000002  r13 = 0x0000000000000000  r14 = 0x0101010101010101  r15 = 0x0000755a4c3b7000  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/strlen-avx2.S:76 in __strlen_avx2
==1527537==ABORTING

[devnexen]

I can reproduce finally..