fix possible array underflow

there are multiple issues with this code - php_stream_read() returns an unsigned val, so is >= 0 - if it read less than sizeof(a) bytes, the function operates on garbage - result->channels is an unsigned val, so >= 0
author: Anatol Belski <ab@php.net> 2014-09-19 20:12:24 +0200
committer: Anatol Belski <ab@php.net> 2014-09-19 20:12:24 +0200
commit: 5d9403f56c14fefafa558b7de45f132a4d3f5fde (patch)
tree: a16746b253a5dae6406910019bf0e96c8919104c
parent: b8470e19e47bbab40c30d20f231ddd694c0ca669 (diff)
download: php-git-5d9403f56c14fefafa558b7de45f132a4d3f5fde.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/ext/standard/image.c b/ext/standard/image.c
index 02246c6268..f1910d2191 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -365,8 +365,8 @@ static unsigned short php_read2(php_stream * stream TSRMLS_DC)
 {
 	unsigned char a[2];
 
-	/* just return 0 if we hit the end-of-file */
-	if((php_stream_read(stream, a, sizeof(a))) <= 0) return 0;
+	/* return 0 if we couldn't read enough data */
+	if((php_stream_read(stream, a, sizeof(a))) < sizeof(a)) return 0;
 
 	return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]);
 }
@@ -646,7 +646,7 @@ static struct gfxinfo *php_handle_jpc(php_stream * stream TSRMLS_DC)
 #endif
 
 	result->channels = php_read2(stream TSRMLS_CC); /* Csiz */
-	if (result->channels < 0 || result->channels > 256) {
+	if (result->channels == 0 && php_stream_eof(stream) || result->channels > 256) {
 		efree(result);
 		return NULL;
 	}
author	Anatol Belski <ab@php.net>	2014-09-19 20:12:24 +0200
committer	Anatol Belski <ab@php.net>	2014-09-19 20:12:24 +0200
commit	5d9403f56c14fefafa558b7de45f132a4d3f5fde (patch)
tree	a16746b253a5dae6406910019bf0e96c8919104c
parent	b8470e19e47bbab40c30d20f231ddd694c0ca669 (diff)
download	php-git-5d9403f56c14fefafa558b7de45f132a4d3f5fde.tar.gz