diff options
| author | Anatol Belski <ab@php.net> | 2016-06-21 09:42:38 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-06-21 09:45:26 +0200 |
| commit | fd93c8601dd3443614a32ce5dba0a275813954b1 (patch) | |
| tree | de0b19a5df99c3960c1c1cbd594bc425168ffaee | |
| parent | 5b90a8bd7c5774f4f2cd0d1190886c760356dda9 (diff) | |
| download | php-git-fd93c8601dd3443614a32ce5dba0a275813954b1.tar.gz | |
remove the huge test file, generate it on the fly instead
| -rw-r--r-- | ext/gd/tests/bug72339.gd | bin | 67108882 -> 0 bytes | |||
| -rw-r--r-- | ext/gd/tests/bug72339.phpt | 24 |
2 files changed, 23 insertions, 1 deletions
diff --git a/ext/gd/tests/bug72339.gd b/ext/gd/tests/bug72339.gd Binary files differdeleted file mode 100644 index 0634c99005..0000000000 --- a/ext/gd/tests/bug72339.gd +++ /dev/null diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt index 763ae71000..2c30ee8a74 100644 --- a/ext/gd/tests/bug72339.phpt +++ b/ext/gd/tests/bug72339.phpt @@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow --SKIPIF-- <?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> --FILE-- -<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?> +<?php +$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"; + +$fh = fopen($fname, "w"); +fwrite($fh, "gd2\x00"); +fwrite($fh, pack("n", 2)); +fwrite($fh, pack("n", 1)); +fwrite($fh, pack("n", 1)); +fwrite($fh, pack("n", 0x40)); +fwrite($fh, pack("n", 2)); +fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide +fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically +fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data +fclose($fh); + +$im = imagecreatefromgd2($fname); + +if ($im) { + imagedestroy($im); +} +unlink($fname); + +?> --EXPECTF-- Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in %sbug72339.php on line %d |