diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-19 10:03:11 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-19 10:16:02 +0100 |
commit | 44fa0b0f311beee4bfcbdb954d61f0c9a8395a96 (patch) | |
tree | 14c9c4ff4dcc9e1bf3670cdb9ff25d6dccf461e4 | |
parent | dbe7f2a41a52663659d07e5b0110e1b8dffe19e1 (diff) | |
download | php-git-44fa0b0f311beee4bfcbdb954d61f0c9a8395a96.tar.gz |
Fix #77479: imagewbmp() segfaults with very large images
We must not proceed working with the Wbmp structure, if it hasn't been
allocated.
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/gd/libgd/gd_wbmp.c | 1 | ||||
-rw-r--r-- | ext/gd/tests/bug77479.phpt | 26 |
3 files changed, 28 insertions, 0 deletions
@@ -14,6 +14,7 @@ PHP NEWS . Fixed bug #73614 (gdImageFilledArc() doesn't properly draw pies). (cmb) . Fixed bug #77272 (imagescale() may return image resource on failure). (cmb) . Fixed bug #77391 (1bpp BMPs may fail to be loaded). (Romain Déoux, cmb) + . Fixed bug #77479 (imagewbmp() segfaults with very large images). (cmb) - Mbstring: . Fixed bug #77454 (mb_scrub() silently truncates after a null byte). diff --git a/ext/gd/libgd/gd_wbmp.c b/ext/gd/libgd/gd_wbmp.c index 7b946aad2f..55ced3443d 100644 --- a/ext/gd/libgd/gd_wbmp.c +++ b/ext/gd/libgd/gd_wbmp.c @@ -100,6 +100,7 @@ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) /* create the WBMP */ if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) { gd_error("Could not create WBMP"); + return; } /* fill up the WBMP structure */ diff --git a/ext/gd/tests/bug77479.phpt b/ext/gd/tests/bug77479.phpt new file mode 100644 index 0000000000..9441e38d3e --- /dev/null +++ b/ext/gd/tests/bug77479.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #77479 (imagewbmp() segfaults with very large image) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); +?> +--INI-- +memory_limit=-1 +--FILE-- +<?php +$im = imagecreate(40000, 20000); +imagecolorallocate($im, 0, 0, 0); +imagewbmp($im, __DIR__ . '/77479.wbmp'); +?> +===DONE=== +--EXPECTF-- +Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %s on line %d + +Warning: imagewbmp(): Could not create WBMP in %s on line %d +===DONE=== +--CLEAN-- +<?php +@unlink(__DIR__ . '/77479.wbmp'); +?> |