From 5d9403f56c14fefafa558b7de45f132a4d3f5fde Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Fri, 19 Sep 2014 20:12:24 +0200
Subject: fix possible array underflow

there are multiple issues with this code

- php_stream_read() returns an unsigned val, so is >= 0
- if it read less than sizeof(a) bytes, the function operates on garbage
- result->channels is an unsigned val, so >= 0
---
 ext/standard/image.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/standard/image.c b/ext/standard/image.c
index 02246c6268..f1910d2191 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -365,8 +365,8 @@ static unsigned short php_read2(php_stream * stream TSRMLS_DC)
 {
 	unsigned char a[2];
 
-	/* just return 0 if we hit the end-of-file */
-	if((php_stream_read(stream, a, sizeof(a))) <= 0) return 0;
+	/* return 0 if we couldn't read enough data */
+	if((php_stream_read(stream, a, sizeof(a))) < sizeof(a)) return 0;
 
 	return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]);
 }
@@ -646,7 +646,7 @@ static struct gfxinfo *php_handle_jpc(php_stream * stream TSRMLS_DC)
 #endif
 
 	result->channels = php_read2(stream TSRMLS_CC); /* Csiz */
-	if (result->channels < 0 || result->channels > 256) {
+	if (result->channels == 0 && php_stream_eof(stream) || result->channels > 256) {
 		efree(result);
 		return NULL;
 	}
-- 
cgit v1.2.1