- MFB: fix crash when some crafted font are given

ext/gd/gd.c

@@ -1634,6 +1634,19 @@ PHP_FUNCTION(imageloadfont)
 		body_size = font->w * font->h * font->nchars;
 	}
 
+	if (overflow2(font->nchars, font->h)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
+		efree(font);
+		php_stream_close(stream);
+		RETURN_FALSE;
+	}
+	if (overflow2(font->nchars * font->h, font->w )) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
+		efree(font);
+		php_stream_close(stream);
+		RETURN_FALSE;
+	}
+
 	if (body_size != body_size_check) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");
 		efree(font);

ext/gd/tests/imageloadfont_invalid.phpt

@@ -0,0 +1,25 @@
+--TEST--
+imageloadfont() function crashes
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+$filename = dirname(__FILE__) .  '/font.gdf';
+$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00";
+$fp = fopen($filename, 'wb');
+fwrite($fp, $bin);
+fclose($fp);
+
+$image = imagecreatetruecolor(50, 20);
+$font = imageloadfont($filename);
+$black = imagecolorallocate($image, 0, 0, 0);
+imagestring($image, $font, 0, 0, "Hello", $black);
+?>
+--EXPECTF--
+Warning: imageloadfont(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %simageloadfont_invalid.php on line %d
+
+Warning: imageloadfont(): Error reading font, invalid font header in %simageloadfont_invalid.php on line %d