summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPierre Joye <pierre.php@gmail.com>2016-07-19 14:16:01 +0700
committerPierre Joye <pierre.php@gmail.com>2016-07-19 14:16:01 +0700
commitb61bd1243ab5e2f17f7e9afecfdc47c6f1a05936 (patch)
treee795fc943ed3d597f79616981694d6cf2dbcfce6
parent511f07b747aadc352d9e3cc00e11de3fe84c7391 (diff)
parent2fbce5f51f4ba01e4d0de3b8592bb14773a98d4d (diff)
downloadphp-git-b61bd1243ab5e2f17f7e9afecfdc47c6f1a05936.tar.gz
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5: fix #72519, possible OOB using imagegif
-rw-r--r--ext/gd/libgd/gd_gif_out.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/ext/gd/libgd/gd_gif_out.c b/ext/gd/libgd/gd_gif_out.c
index 14045385ab..0178dd9741 100644
--- a/ext/gd/libgd/gd_gif_out.c
+++ b/ext/gd/libgd/gd_gif_out.c
@@ -601,14 +601,26 @@ nomatch:
* code in turn. When the buffer fills up empty it and start over.
*/
-static unsigned long masks[] = { 0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
+static const unsigned long masks[] = { 0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
0x001F, 0x003F, 0x007F, 0x00FF,
0x01FF, 0x03FF, 0x07FF, 0x0FFF,
0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF };
+
+/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
+ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
+ * might be negative, so flag it to return early.
+ */
+#define CUR_BITS_FINISHED -1000
+
+
static void
output(code_int code, GifCtx *ctx)
{
+ if (ctx->cur_bits == CUR_BITS_FINISHED) {
+ return;
+ }
+
ctx->cur_accum &= masks[ ctx->cur_bits ];
if( ctx->cur_bits > 0 )
@@ -655,8 +667,10 @@ output(code_int code, GifCtx *ctx)
ctx->cur_bits -= 8;
}
- flush_char(ctx);
+ /* Flag that it's done to prevent re-entry. */
+ ctx->cur_bits = CUR_BITS_FINISHED;
+ flush_char(ctx);
}
}