diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-12-30 13:59:26 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-07 13:41:51 +0100 |
commit | a15af81b5f0058e020eda0f109f51a3c863f5212 (patch) | |
tree | 51f93265d490535cc8056ccd2e6347ae78f3f784 | |
parent | 027f68ff10a439c5c331bcbfdd6eb2a5fca0948a (diff) | |
download | php-git-a15af81b5f0058e020eda0f109f51a3c863f5212.tar.gz |
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal. We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
(cherry picked from commit 7a12dad4dd6c370835b13afae214b240082c7538)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/gd/libgd/gd_color_match.c | 4 | ||||
-rw-r--r-- | ext/gd/tests/bug77270.phpt | 18 |
3 files changed, 21 insertions, 2 deletions
@@ -29,6 +29,7 @@ PHP NEWS (cmb) . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (cmb) + . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) - OCI8: . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind) diff --git a/ext/gd/libgd/gd_color_match.c b/ext/gd/libgd/gd_color_match.c index a4e56b1c40..e6f539bc75 100644 --- a/ext/gd/libgd/gd_color_match.c +++ b/ext/gd/libgd/gd_color_match.c @@ -33,8 +33,8 @@ int gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) return -4; /* At least 1 color must be allocated */ } - buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0); - memset( buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); + buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * gdMaxColors, 0); + memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); for (x=0; x<im1->sx; x++) { for( y=0; y<im1->sy; y++ ) { diff --git a/ext/gd/tests/bug77270.phpt b/ext/gd/tests/bug77270.phpt new file mode 100644 index 0000000000..1c4555a64d --- /dev/null +++ b/ext/gd/tests/bug77270.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #77270 (imagecolormatch Out Of Bounds Write on Heap) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.5', '<=')) die('skip upstream bugfix has not been released'); +?> +--FILE-- +<?php +$img1 = imagecreatetruecolor(0xfff, 0xfff); +$img2 = imagecreate(0xfff, 0xfff); +imagecolorallocate($img2, 0, 0, 0); +imagesetpixel($img2, 0, 0, 255); +imagecolormatch($img1, $img2); +?> +===DONE=== +--EXPECT-- +===DONE=== |