diff options
| -rw-r--r-- | ext/gd/libgd/gd_xbm.c | 6 | ||||
| -rw-r--r-- | ext/gd/tests/bug77973.phpt | 26 | ||||
| -rw-r--r-- | ext/iconv/iconv.c | 4 | ||||
| -rw-r--r-- | ext/iconv/tests/bug78069.data | bin | 0 -> 107 bytes | |||
| -rw-r--r-- | ext/iconv/tests/bug78069.phpt | 15 |
5 files changed, 49 insertions, 2 deletions
diff --git a/ext/gd/libgd/gd_xbm.c b/ext/gd/libgd/gd_xbm.c index 1ed0d48981..b73073279f 100644 --- a/ext/gd/libgd/gd_xbm.c +++ b/ext/gd/libgd/gd_xbm.c @@ -136,7 +136,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) } h[3] = ch; } - sscanf(h, "%x", &b); + if (sscanf(h, "%x", &b) != 1) { + php_gd_error("invalid XBM"); + gdImageDestroy(im); + return 0; + } for (bit = 1; bit <= max_bit; bit = bit << 1) { gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); if (x == im->sx) { diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt new file mode 100644 index 0000000000..2545dbe128 --- /dev/null +++ b/ext/gd/tests/bug77973.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #77973 (Uninitialized read in gdImageCreateFromXbm) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die("skip gd extension not available"); +if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available"); +?> +--FILE-- +<?php +$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a"); +$filepath = __DIR__ . '/bug77973.xbm'; +file_put_contents($filepath, $contents); +$im = imagecreatefromxbm($filepath); +var_dump($im); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromxbm(): invalid XBM in %s on line %d + +Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d +bool(false) +===DONE=== +--CLEAN-- +<?php +unlink(__DIR__ . '/bug77973.xbm'); +?> diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c index d80bac77f3..24aefcbba7 100644 --- a/ext/iconv/iconv.c +++ b/ext/iconv/iconv.c @@ -1663,7 +1663,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st * we can do at this point. */ if (*(p1 + 1) == '=') { ++p1; - --str_left; + if (str_left > 1) { + --str_left; + } } err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data Binary files differnew file mode 100644 index 0000000000..ebd5d0bdcf --- /dev/null +++ b/ext/iconv/tests/bug78069.data diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt new file mode 100644 index 0000000000..1341a5ef4f --- /dev/null +++ b/ext/iconv/tests/bug78069.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) +--SKIPIF-- +<?php +if (!extension_loaded('iconv')) die('skip ext/iconv required'); +?> +--FILE-- +<?php +$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); +var_dump(count($hdr)); +?> +DONE +--EXPECT-- +int(1) +DONE
\ No newline at end of file |