diff options
author | Anatol Belski <ab@php.net> | 2014-09-19 20:12:24 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2014-09-19 20:12:24 +0200 |
commit | 5d9403f56c14fefafa558b7de45f132a4d3f5fde (patch) | |
tree | a16746b253a5dae6406910019bf0e96c8919104c | |
parent | b8470e19e47bbab40c30d20f231ddd694c0ca669 (diff) | |
download | php-git-5d9403f56c14fefafa558b7de45f132a4d3f5fde.tar.gz |
fix possible array underflow
there are multiple issues with this code
- php_stream_read() returns an unsigned val, so is >= 0
- if it read less than sizeof(a) bytes, the function operates on garbage
- result->channels is an unsigned val, so >= 0
-rw-r--r-- | ext/standard/image.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ext/standard/image.c b/ext/standard/image.c index 02246c6268..f1910d2191 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -365,8 +365,8 @@ static unsigned short php_read2(php_stream * stream TSRMLS_DC) { unsigned char a[2]; - /* just return 0 if we hit the end-of-file */ - if((php_stream_read(stream, a, sizeof(a))) <= 0) return 0; + /* return 0 if we couldn't read enough data */ + if((php_stream_read(stream, a, sizeof(a))) < sizeof(a)) return 0; return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]); } @@ -646,7 +646,7 @@ static struct gfxinfo *php_handle_jpc(php_stream * stream TSRMLS_DC) #endif result->channels = php_read2(stream TSRMLS_CC); /* Csiz */ - if (result->channels < 0 || result->channels > 256) { + if (result->channels == 0 && php_stream_eof(stream) || result->channels > 256) { efree(result); return NULL; } |