From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 20 Jun 2017 16:45:42 +0200
Subject: Fix #74435: Buffer over-read into uninitialized memory

The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.
---
 ext/gd/tests/bug74435.gif  | Bin 0 -> 11464 bytes
 ext/gd/tests/bug74435.phpt |  27 +++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 ext/gd/tests/bug74435.gif
 create mode 100644 ext/gd/tests/bug74435.phpt

(limited to 'ext/gd/tests')

diff --git a/ext/gd/tests/bug74435.gif b/ext/gd/tests/bug74435.gif
new file mode 100644
index 0000000000..92fbb7ff20
Binary files /dev/null and b/ext/gd/tests/bug74435.gif differ
diff --git a/ext/gd/tests/bug74435.phpt b/ext/gd/tests/bug74435.phpt
new file mode 100644
index 0000000000..9d11eb3839
--- /dev/null
+++ b/ext/gd/tests/bug74435.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #74435 (Buffer over-read into uninitialized memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
+var_dump($im);
+$width = imagesx($im);
+$height = imagesy($im);
+for ($i = 0; $i < $width; $i += 16) {
+    for ($j = 0; $j < $height; $j += 16) {
+        if (($index = imagecolorat($im, $i, $j)) >= 2) {
+            list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
+            if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
+                echo "unexpected color at ($i, $j)\n";
+            }
+        }
+    }
+}
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===
-- 
cgit v1.2.1