clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 10:27:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-5.6' into PHP-7.0

Browse Source 
* PHP-5.6:
  Fix #73869: Signed Integer Overflow gd_io.c
  Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
This commit is contained in:
Anatol Belski 2017-01-17 09:33:51 +01:00
commit 5d07438cb3
6 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ext/gd/libgd/gd_gd2.c
View File

@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
if (gd2_compressed(*fmt)) {
if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
goto fail1;
}
nc = (*ncx) * (*ncy);
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
if (overflow2(sizeof(t_chunk_info), nc)) {
@ -340,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
for (x = xlo; x < xhi; x++) {
if (im->trueColor) {
if (!gdGetInt(&im->tpixels[y][x], in)) {
im->tpixels[y][x] = 0;
php_gd_error("gd2: EOF while reading\n");
gdImageDestroy(im);
return NULL;
}
} else {
int ch;
if (!gdGetByte(&ch, in)) {
ch = 0;
php_gd_error("gd2: EOF while reading\n");
gdImageDestroy(im);
return NULL;
}
im->pixels[y][x] = ch;
}

BIN
ext/gd/tests/bug73868.gd2 Normal file
View File

Binary file not shown.

18
ext/gd/tests/bug73868.phpt Normal file
View File

@ -0,0 +1,18 @@
--TEST--
Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
?>
===DONE===
--EXPECTF--
Warning: imagecreatefromgd2(): gd2: EOF while reading
in %s on line %d
Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
bool(false)
===DONE===

19
ext/gd/tests/bug73869.phpt Normal file
View File

@ -0,0 +1,19 @@
--TEST--
Bug #73869 (Signed Integer Overflow gd_io.c)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2'));
var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2'));
?>
===DONE===
--EXPECTF--
Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
bool(false)
Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
bool(false)
===DONE===

BIN
ext/gd/tests/bug73869a.gd2 Normal file
View File

Binary file not shown.

BIN
ext/gd/tests/bug73869b.gd2 Normal file
View File

Binary file not shown.