diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-05-27 16:49:19 -0700 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2019-05-29 08:44:06 +0200 |
| commit | 3c0614f3256f90ab524567673c5bc80c8c9988d2 (patch) | |
| tree | fe17a2703bd1005e27426686f9fa9474bd28ecdf | |
| parent | 1b47faea371bff050c37e23d28c76aad0fe89e57 (diff) | |
| download | php-git-3c0614f3256f90ab524567673c5bc80c8c9988d2.tar.gz | |
Merge branch 'PHP-7.1' into PHP-7.2
* PHP-7.1:
Update NEWS
Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
Fix #77973: Uninitialized read in gdImageCreateFromXbm
| -rw-r--r-- | ext/gd/libgd/gd_xbm.c | 6 | ||||
| -rw-r--r-- | ext/gd/tests/bug77973.phpt | 26 | ||||
| -rw-r--r-- | ext/iconv/iconv.c | 4 | ||||
| -rw-r--r-- | ext/iconv/tests/bug78069.data | bin | 0 -> 107 bytes | |||
| -rw-r--r-- | ext/iconv/tests/bug78069.phpt | 15 |
5 files changed, 49 insertions, 2 deletions
diff --git a/ext/gd/libgd/gd_xbm.c b/ext/gd/libgd/gd_xbm.c index 1ed0d48981..b73073279f 100644 --- a/ext/gd/libgd/gd_xbm.c +++ b/ext/gd/libgd/gd_xbm.c @@ -136,7 +136,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) } h[3] = ch; } - sscanf(h, "%x", &b); + if (sscanf(h, "%x", &b) != 1) { + php_gd_error("invalid XBM"); + gdImageDestroy(im); + return 0; + } for (bit = 1; bit <= max_bit; bit = bit << 1) { gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); if (x == im->sx) { diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt new file mode 100644 index 0000000000..2545dbe128 --- /dev/null +++ b/ext/gd/tests/bug77973.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #77973 (Uninitialized read in gdImageCreateFromXbm) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die("skip gd extension not available"); +if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available"); +?> +--FILE-- +<?php +$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a"); +$filepath = __DIR__ . '/bug77973.xbm'; +file_put_contents($filepath, $contents); +$im = imagecreatefromxbm($filepath); +var_dump($im); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromxbm(): invalid XBM in %s on line %d + +Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d +bool(false) +===DONE=== +--CLEAN-- +<?php +unlink(__DIR__ . '/bug77973.xbm'); +?> diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c index a92395e25f..781985ce3e 100644 --- a/ext/iconv/iconv.c +++ b/ext/iconv/iconv.c @@ -1664,7 +1664,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st * we can do at this point. */ if (*(p1 + 1) == '=') { ++p1; - --str_left; + if (str_left > 1) { + --str_left; + } } err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data Binary files differnew file mode 100644 index 0000000000..ebd5d0bdcf --- /dev/null +++ b/ext/iconv/tests/bug78069.data diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt new file mode 100644 index 0000000000..1341a5ef4f --- /dev/null +++ b/ext/iconv/tests/bug78069.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) +--SKIPIF-- +<?php +if (!extension_loaded('iconv')) die('skip ext/iconv required'); +?> +--FILE-- +<?php +$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); +var_dump(count($hdr)); +?> +DONE +--EXPECT-- +int(1) +DONE
\ No newline at end of file |