php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77479 imagewbmp() segfaults with very large images
Submitted: 2019-01-17 12:58 UTC Modified: 2019-01-18 20:05 UTC
From: [email protected] Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.1Git-2019-01-17 (Git) OS: *
Private report: No CVE-ID: None
 [2019-01-17 12:58 UTC] [email protected]
Description:
------------
If very large images (i.e. >= 256 megapixels) are passed to
imagewbmp(), the function causes a segfault since createwbmp()[1]
fails, but gdImageWBMPCtx() continues after raising an error[2].
This issue does not affect upstream libgd, where this issue has
been fixed long ago with commit 46fd625[3].

It seems to me that this is a low security issue (maybe even no
security issue at all), since it makes no sense to have such large
WBMP images at all, and usually PHP's memory_limit is set low
enough to prevent to allocate such large images at all.

[1] <https://github.com/php/php-src/blob/php-7.1.26/ext/gd/libgd/wbmp.c#L110-L140>
[2] <https://github.com/php/php-src/blob/php-7.1.26/ext/gd/libgd/gd_wbmp.c#L100-L102>
[3] <https://github.com/libgd/libgd/commit/46fd62585ecbced255193cd5fe964bc44eb137de>

Test script:
---------------
<?php
$im = imagecreate(40000, 20000);
imagecolorallocate($im, 0, 0, 0);
imagewbmp($im, __DIR__ . '/wbmp.wbmp');
echo "DONE\n";

Expected result:
----------------
Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagewbmp(): Could not create WBMP in %s on line %d
DONE

Actual result:
--------------
Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d

Warning: imagewbmp(): Could not create WBMP in %s on line %d
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-17 13:09 UTC] [email protected]
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-01-17 13:15 UTC] [email protected]
-Assigned To: +Assigned To: stas
 [2019-01-17 13:15 UTC] [email protected]
<https://gist.github.com/cmb69/67e7e1658e1fb434452e96b377e7da54>
fixes the issue.

Stas, please assess whether this ticket has to kept private; if
not, please assign to me.
 [2019-01-18 02:20 UTC] [email protected]
thanks for the cath up, I must have missed this merge back then.

Afair we consider DDOS as security issue while 256M pixels will require quite some network to achieve it :)
 [2019-01-18 13:53 UTC] [email protected]
To clarify: the segfault occurs *before* imagewbmp() outputs
anything.

Also, I have some doubts that imagewbmp() is actually still in use
anywhere, since it only makes sense for ancient devices (for
somewhat contemporary devices PNG is way better, and even GIF is
still superior).
 [2019-01-18 20:05 UTC] [email protected]
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2019-01-18 20:05 UTC] [email protected]
Doesn't look like security issue - requires explicit user action with specially crafted parameters to trigger the problem.
 [2019-01-19 09:19 UTC] [email protected]
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44fa0b0f311beee4bfcbdb954d61f0c9a8395a96
Log: Fix #77479: imagewbmp() segfaults with very large images
 [2019-01-19 09:19 UTC] [email protected]
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Tue Jun 10 21:02:15 2025 UTC