mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Merge branch 'PHP-8.1' into PHP-8.2
This commit is contained in:
commit
dedaf40d21
@ -593,6 +593,12 @@ PHP_FUNCTION(imageloadfont)
|
||||
font->w = FLIPWORD(font->w);
|
||||
font->h = FLIPWORD(font->h);
|
||||
font->nchars = FLIPWORD(font->nchars);
|
||||
if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
|
||||
php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header");
|
||||
efree(font);
|
||||
php_stream_close(stream);
|
||||
RETURN_FALSE;
|
||||
}
|
||||
body_size = font->w * font->h * font->nchars;
|
||||
}
|
||||
|
||||
@ -603,6 +609,7 @@ PHP_FUNCTION(imageloadfont)
|
||||
RETURN_FALSE;
|
||||
}
|
||||
|
||||
ZEND_ASSERT(body_size > 0);
|
||||
font->data = emalloc(body_size);
|
||||
b = 0;
|
||||
while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) {
|
||||
|
24
ext/gd/tests/bug81739.phpt
Normal file
24
ext/gd/tests/bug81739.phpt
Normal file
@ -0,0 +1,24 @@
|
||||
--TEST--
|
||||
Bug #81739 (OOB read due to insufficient validation in imageloadfont())
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded("gd")) die("skip gd extension not available");
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
$s = fopen(__DIR__ . "/font.font", "w");
|
||||
// header without character data
|
||||
fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00");
|
||||
fclose($s);
|
||||
var_dump(imageloadfont(__DIR__ . "/font.font"));
|
||||
?>
|
||||
--CLEAN--
|
||||
<?php
|
||||
@unlink(__DIR__ . "/font.font");
|
||||
?>
|
||||
--EXPECTF--
|
||||
Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
|
||||
in %s on line %d
|
||||
|
||||
Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d
|
||||
bool(false)
|
Loading…
Reference in New Issue
Block a user