diff options
| author | Pierre Joye <pajoye@php.net> | 2008-07-17 18:08:04 +0000 |
|---|---|---|
| committer | Pierre Joye <pajoye@php.net> | 2008-07-17 18:08:04 +0000 |
| commit | 3bebc2f50dcff3ebc42953da7e2f12c3598a259f (patch) | |
| tree | 703de38f599c811dc6ce877a3bac77df3dc03abe | |
| parent | 74cb3c681643beb6373ec6f2a94a75c3a9b48698 (diff) | |
| download | php-git-3bebc2f50dcff3ebc42953da7e2f12c3598a259f.tar.gz | |
- fix crash when some crafted font are given
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/gd/gd.c | 13 | ||||
| -rw-r--r-- | ext/gd/tests/imageloadfont_invalid.phpt | 26 |
3 files changed, 41 insertions, 0 deletions
@@ -2,6 +2,8 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ?? 2008, Version 4.4.9 - Updated PCRE to version 7.7. (Nuno) +- Fixed crash in imageloadfont when an invalid font is given + (discovered by CzechSec, fixed by Pierre) 03 Jan 2008, Version 4.4.8 - Improved fix for MOPB-02-2007. (Ilia) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index d92d4d85b5..40562112be 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -669,6 +669,19 @@ PHP_FUNCTION(imageloadfont) body_size = font->w * font->h * font->nchars; } + if (overflow2(font->nchars, font->h)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (overflow2(font->nchars * font->h, font->w )) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (body_size != body_size_check) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font"); efree(font); diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt new file mode 100644 index 0000000000..f2de5f9f23 --- /dev/null +++ b/ext/gd/tests/imageloadfont_invalid.phpt @@ -0,0 +1,26 @@ +--TEST-- +imageloadfont() function crashes +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); + if (!GD_BUNDLED) die('skip external GD libraries always fail'); +?> +--FILE-- +<?php +$filename = dirname(__FILE__) . '/font.gdf'; +$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00"; +$fp = fopen($filename, 'wb'); +fwrite($fp, $bin); +fclose($fp); + +$image = imagecreatetruecolor(50, 20); +$font = imageloadfont($filename); +$black = imagecolorallocate($image, 0, 0, 0); +imagestring($image, $font, 0, 0, "Hello", $black); +?> +--EXPECTF-- + +Warning: imageloadfont() [%s]: gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %simageloadfont_invalid.php on line %d + +Warning: imageloadfont() [%s]: Error reading font, invalid font header in %simageloadfont_invalid.php on line %d |