From e720bc03b19c22846c562a62b42235b544c1794c Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 16 Aug 2016 18:23:36 +0200 Subject: Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx() We must not pretend that there are image data if there are none. Instead we fail reading the image file gracefully. (cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab) (cherry picked from commit f1b2afc9d9e77edf41804f5dfc4e2069d8a12975) --- ext/gd/libgd/gd_gd2.c | 8 ++++++-- ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 ext/gd/tests/bug73868.gd2 create mode 100644 ext/gd/tests/bug73868.phpt diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index 83eaaa3d6c..3eba6b3054 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -344,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) for (x = xlo; x < xhi; x++) { if (im->trueColor) { if (!gdGetInt(&im->tpixels[y][x], in)) { - im->tpixels[y][x] = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } } else { int ch; if (!gdGetByte(&ch, in)) { - ch = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } im->pixels[y][x] = ch; } diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2 new file mode 100644 index 0000000000..1c797d1acf Binary files /dev/null and b/ext/gd/tests/bug73868.gd2 differ diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt new file mode 100644 index 0000000000..135be7917b --- /dev/null +++ b/ext/gd/tests/bug73868.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()) +--SKIPIF-- + +--FILE-- + +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): gd2: EOF while reading + in %s on line %d + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE=== -- cgit v1.2.1