Merge branch 'PHP-5.5'

* PHP-5.5: Revert removal of overflow2 use in gd.c Function provided by gd_security with bundled libgd Function provided by gd_compat with system libgd
2024-09-25 11:57:26 +00:00 · 2013-05-06 10:02:34 +02:00 · 2013-05-06 10:02:34 +02:00 · 03091c834c
commit 03091c834c
parent 76665ca070 9480de29db
4 changed files with 24 additions and 6 deletions
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@ -57,9 +57,8 @@
 # include <X11/xpm.h>
 #endif

-#ifndef HAVE_GD_BUNDLED
 # include "gd_compat.h"
-#endif /* HAVE_GD_BUNDLED */
+

 static int le_gd, le_gd_font;
 #if HAVE_LIBT1
@ -1476,9 +1475,7 @@ PHP_FUNCTION(imageloadfont)
 		body_size = font->w * font->h * font->nchars;
 	}

-	if ((font->nchars <= 0 || font->h <= 0 || font->w <= 0 ) || \
-		(font->nchars > INT_MAX / font->h) || \
-		(font->nchars * font->h > INT_MAX / font->w)) {
+	if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
 		efree(font);
 		php_stream_close(stream);
--- a/ext/gd/gd_compat.c
+++ b/ext/gd/gd_compat.c
@ -10,6 +10,7 @@
 #endif

 #include "gd_compat.h"
+#include <TSRM.h>

 #ifdef HAVE_GD_JPG
 int gdJpegGetVersionInt()
@ -45,3 +46,18 @@ const char * gdPngGetVersionString()
 }
 #endif

+int overflow2(int a, int b)
+{
+	TSRMLS_FETCH();
+
+	if(a <= 0 || b <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully\n");
+		return 1;
+	}
+	if(a > INT_MAX / b) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
+
--- a/ext/gd/gd_compat.h
+++ b/ext/gd/gd_compat.h
@ -1,8 +1,14 @@
 #ifndef GD_COMPAT_H
 #define GD_COMPAT_H 1

+#ifndef HAVE_GD_BUNDLED
+/* from gd_compat.c */
 const char * gdPngGetVersionString();
 const char * gdJpegGetVersionString();
 int gdJpegGetVersionInt();
+#endif
+
+/* from gd_compat.c of libgd/gd_security.c */
+int overflow2(int a, int b);

 #endif /* GD_COMPAT_H */
--- a/ext/gd/tests/imageloadfont_invalid.phpt
+++ b/ext/gd/tests/imageloadfont_invalid.phpt
@ -3,7 +3,6 @@ imageloadfont() function crashes
 --SKIPIF--
 <?php 
 	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
-	if (!GD_BUNDLED) die('skip external GD libraries always fail');
 ?>
 --FILE--
 <?php