diff options
| author | Anatol Belski <ab@php.net> | 2017-01-17 09:33:51 +0100 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2017-01-17 09:33:51 +0100 |
| commit | 5d07438cb3d72b7d6d3675cdccf5eef361e6e591 (patch) | |
| tree | 4065d62713d3d86c3c698ed3785fb77b76fd7abf | |
| parent | b28c2e20ca83ffb5dc9159d7d03f0baf55b0aeaf (diff) | |
| parent | d2274b01cbbadf5516b3ea87ad76fbae18834007 (diff) | |
| download | php-git-5d07438cb3d72b7d6d3675cdccf5eef361e6e591.tar.gz | |
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix #73869: Signed Integer Overflow gd_io.c
Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
| -rw-r--r-- | ext/gd/libgd/gd_gd2.c | 12 | ||||
| -rw-r--r-- | ext/gd/tests/bug73868.gd2 | bin | 0 -> 1050 bytes | |||
| -rw-r--r-- | ext/gd/tests/bug73868.phpt | 18 | ||||
| -rw-r--r-- | ext/gd/tests/bug73869.phpt | 19 | ||||
| -rw-r--r-- | ext/gd/tests/bug73869a.gd2 | bin | 0 -> 92 bytes | |||
| -rw-r--r-- | ext/gd/tests/bug73869b.gd2 | bin | 0 -> 18 bytes |
6 files changed, 47 insertions, 2 deletions
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index d06f328425..3eba6b3054 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in GD2_DBG(php_gd_error("%d Chunks vertically", *ncy)); if (gd2_compressed(*fmt)) { + if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { + GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); + goto fail1; + } nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); if (overflow2(sizeof(t_chunk_info), nc)) { @@ -340,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) for (x = xlo; x < xhi; x++) { if (im->trueColor) { if (!gdGetInt(&im->tpixels[y][x], in)) { - im->tpixels[y][x] = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } } else { int ch; if (!gdGetByte(&ch, in)) { - ch = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } im->pixels[y][x] = ch; } diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2 Binary files differnew file mode 100644 index 0000000000..1c797d1acf --- /dev/null +++ b/ext/gd/tests/bug73868.gd2 diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt new file mode 100644 index 0000000000..135be7917b --- /dev/null +++ b/ext/gd/tests/bug73868.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2')); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): gd2: EOF while reading + in %s on line %d + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE=== diff --git a/ext/gd/tests/bug73869.phpt b/ext/gd/tests/bug73869.phpt new file mode 100644 index 0000000000..3cc10a4201 --- /dev/null +++ b/ext/gd/tests/bug73869.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #73869 (Signed Integer Overflow gd_io.c) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2')); +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2')); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE===
\ No newline at end of file diff --git a/ext/gd/tests/bug73869a.gd2 b/ext/gd/tests/bug73869a.gd2 Binary files differnew file mode 100644 index 0000000000..5060bfde3a --- /dev/null +++ b/ext/gd/tests/bug73869a.gd2 diff --git a/ext/gd/tests/bug73869b.gd2 b/ext/gd/tests/bug73869b.gd2 Binary files differnew file mode 100644 index 0000000000..8600126bec --- /dev/null +++ b/ext/gd/tests/bug73869b.gd2 |