mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6: Fix #73869: Signed Integer Overflow gd_io.c Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
This commit is contained in:
commit
5d07438cb3
@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
|
||||
GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
|
||||
|
||||
if (gd2_compressed(*fmt)) {
|
||||
if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
|
||||
GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
|
||||
goto fail1;
|
||||
}
|
||||
nc = (*ncx) * (*ncy);
|
||||
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
|
||||
if (overflow2(sizeof(t_chunk_info), nc)) {
|
||||
@ -340,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
|
||||
for (x = xlo; x < xhi; x++) {
|
||||
if (im->trueColor) {
|
||||
if (!gdGetInt(&im->tpixels[y][x], in)) {
|
||||
im->tpixels[y][x] = 0;
|
||||
php_gd_error("gd2: EOF while reading\n");
|
||||
gdImageDestroy(im);
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
int ch;
|
||||
if (!gdGetByte(&ch, in)) {
|
||||
ch = 0;
|
||||
php_gd_error("gd2: EOF while reading\n");
|
||||
gdImageDestroy(im);
|
||||
return NULL;
|
||||
}
|
||||
im->pixels[y][x] = ch;
|
||||
}
|
||||
|
BIN
ext/gd/tests/bug73868.gd2
Normal file
BIN
ext/gd/tests/bug73868.gd2
Normal file
Binary file not shown.
18
ext/gd/tests/bug73868.phpt
Normal file
18
ext/gd/tests/bug73868.phpt
Normal file
@ -0,0 +1,18 @@
|
||||
--TEST--
|
||||
Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('gd')) die('skip gd extension not available');
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
Warning: imagecreatefromgd2(): gd2: EOF while reading
|
||||
in %s on line %d
|
||||
|
||||
Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
|
||||
bool(false)
|
||||
===DONE===
|
19
ext/gd/tests/bug73869.phpt
Normal file
19
ext/gd/tests/bug73869.phpt
Normal file
@ -0,0 +1,19 @@
|
||||
--TEST--
|
||||
Bug #73869 (Signed Integer Overflow gd_io.c)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('gd')) die('skip gd extension not available');
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2'));
|
||||
var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2'));
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
|
||||
bool(false)
|
||||
|
||||
Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
|
||||
bool(false)
|
||||
===DONE===
|
BIN
ext/gd/tests/bug73869a.gd2
Normal file
BIN
ext/gd/tests/bug73869a.gd2
Normal file
Binary file not shown.
BIN
ext/gd/tests/bug73869b.gd2
Normal file
BIN
ext/gd/tests/bug73869b.gd2
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user