Skip to content

ext/gd: fix out-of-bounds write reading font header on short reads#101

Closed
iliaal wants to merge 1 commit into
PHP-8.4from
gd-imageloadfont-oob
Closed

ext/gd: fix out-of-bounds write reading font header on short reads#101
iliaal wants to merge 1 commit into
PHP-8.4from
gd-imageloadfont-oob

Conversation

@iliaal

@iliaal iliaal commented Jun 21, 2026

Copy link
Copy Markdown
Owner

imageloadfont() indexed the header read destination as (char*)&font[b], which scales the byte counter by sizeof(gdFont) instead of advancing one byte, so a short php_stream_read (a user stream wrapper is enough) writes hdr_size-b bytes past the emalloc(sizeof(gdFont)) buffer. The added test drips a valid 1x1 font one byte per read: on stock the load fails and USE_ZEND_ALLOC=0 valgrind reports an invalid write at gd.c:559, with the fix it loads and valgrind is clean.

imageloadfont() read the font header with `(char*)&font[b]`, which scales
the byte counter b by sizeof(gdFont) rather than advancing one byte, so a
short php_stream_read() (deliverable by a user stream wrapper) makes the
loop write hdr_size-b bytes past the emalloc(sizeof(gdFont)) buffer. Index
the destination by bytes, matching the body read a few lines below.
@iliaal

iliaal commented Jun 21, 2026

Copy link
Copy Markdown
Owner Author

Submitted upstream as php#22380.

@iliaal iliaal closed this Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant