mirror of
https://github.com/php/php-src.git
synced 2024-10-03 15:56:11 +00:00
af09d8b96a
This amends commit 8f4a537
, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows. Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.
This moves NULL check to happen right after gdImageCreate*(). It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).
From thoger redhat com
49 lines
1.3 KiB
PHP
49 lines
1.3 KiB
PHP
--TEST--
|
|
Bug #66356 (Heap Overflow Vulnerability in imagecrop())
|
|
--SKIPIF--
|
|
<?php
|
|
if(!extension_loaded('gd')){ die('skip gd extension not available'); }
|
|
?>
|
|
--FILE--
|
|
<?php
|
|
$img = imagecreatetruecolor(10, 10);
|
|
|
|
// POC #1
|
|
var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10)));
|
|
|
|
$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10);
|
|
var_dump(imagecrop($img, $arr));
|
|
print_r($arr);
|
|
|
|
// POC #2
|
|
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10)));
|
|
|
|
// POC #3
|
|
var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10)));
|
|
|
|
// POC #4
|
|
var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
|
|
|
|
// bug 66815
|
|
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535)));
|
|
?>
|
|
--EXPECTF--
|
|
resource(%d) of type (gd)
|
|
resource(%d) of type (gd)
|
|
Array
|
|
(
|
|
[x] => a
|
|
[y] => 12b
|
|
[width] => 10
|
|
[height] => 10
|
|
)
|
|
|
|
Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
|
|
in %sbug66356.php on line %d
|
|
bool(false)
|
|
resource(%d) of type (gd)
|
|
resource(%d) of type (gd)
|
|
|
|
Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
|
|
in %sbug66356.php on line %d
|
|
bool(false)
|