diff options
author | Stanislav Malyshev <stas@php.net> | 2014-08-18 22:49:10 -0700 |
---|---|---|
committer | Julien Pauli <jpauli@php.net> | 2014-08-19 15:03:01 +0200 |
commit | 1daa4c0090b7cd8178dcaa96287234c69ac6ca18 (patch) | |
tree | 76a625643e0db98a24b1f83bafea5d161e4c4a77 | |
parent | fbceec5861e08b10e75af36a097da35d9f808ef6 (diff) | |
download | php-git-1daa4c0090b7cd8178dcaa96287234c69ac6ca18.tar.gz |
Fix bug #67730 - Null byte injection possible with imagexxx functions
-rw-r--r-- | ext/gd/gd_ctx.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c index 59eff80443..253b6648f3 100644 --- a/ext/gd/gd_ctx.c +++ b/ext/gd/gd_ctx.c @@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, RETURN_FALSE; } } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); + RETURN_FALSE; + } + stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); if (stream == NULL) { RETURN_FALSE; |