clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-26 20:37:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
faa396c67d
php-src/ext/gd/tests/bug66356.phpt
Remi Collet af09d8b96a Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer CVE-2013-7327 
This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value.  That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows.  Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.

This moves NULL check to happen right after gdImageCreate*().  It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).

From thoger redhat com
2014-03-05 10:40:36 +01:00

49 lines
1.3 KiB
PHP
Raw Blame History

--TEST--
Bug #66356 (Heap Overflow Vulnerability in imagecrop())
--SKIPIF--
<?php
if(!extension_loaded('gd')){ die('skip gd extension not available'); }
?>
--FILE--
<?php
$img = imagecreatetruecolor(10, 10);
// POC #1
var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10)));
$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10);
var_dump(imagecrop($img, $arr));
print_r($arr);
// POC #2
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10)));
// POC #3
var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10)));
// POC #4
var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
// bug 66815
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535)));
?>
--EXPECTF--
resource(%d) of type (gd)
resource(%d) of type (gd)
Array
(
[x] => a
[y] => 12b
[width] => 10
[height] => 10
)
Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
in %sbug66356.php on line %d
bool(false)
resource(%d) of type (gd)
resource(%d) of type (gd)
Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
in %sbug66356.php on line %d
bool(false)
Reference in New Issue View Git Blame Copy Permalink