Merge branch 'PHP-7.0'

* PHP-7.0: fix #72519, possible OOB using imagegif
2024-09-29 22:06:09 +00:00 · 2016-07-19 14:16:32 +07:00 · 2016-07-19 14:16:32 +07:00 · 2707271465
commit 2707271465
parent 6434fc9d2b 05e8a0febe
1 changed files with 16 additions and 2 deletions
--- a/ext/gd/libgd/gd_gif_out.c
+++ b/ext/gd/libgd/gd_gif_out.c
@ -601,14 +601,26 @@ nomatch:
 * code in turn.  When the buffer fills up empty it and start over.
 */

-static unsigned long masks[] = { 0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
+static const unsigned long masks[] = { 0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
                                  0x001F, 0x003F, 0x007F, 0x00FF,
                                  0x01FF, 0x03FF, 0x07FF, 0x0FFF,
                                  0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF };

+
+/* Arbitrary value to mark output is done.  When we see EOFCode, then we don't
+ * expect to see any more data.  If we do (e.g. corrupt image inputs), cur_bits
+ * might be negative, so flag it to return early.
+ */
+#define CUR_BITS_FINISHED -1000
+
+
 static void
 output(code_int code, GifCtx *ctx)
 {
+	if (ctx->cur_bits == CUR_BITS_FINISHED) {
+		return;
+	}
+
    ctx->cur_accum &= masks[ ctx->cur_bits ];

    if( ctx->cur_bits > 0 )
@ -655,8 +667,10 @@ output(code_int code, GifCtx *ctx)
                ctx->cur_bits -= 8;
        }

-        flush_char(ctx);
+		/* Flag that it's done to prevent re-entry. */
+		ctx->cur_bits = CUR_BITS_FINISHED;

+        flush_char(ctx);
    }
 }