diff options
author | Remi Collet <remi@php.net> | 2014-08-04 10:42:39 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2014-08-04 10:42:39 +0200 |
commit | cf4753691dc55999373d1c576f62ecb298723420 (patch) | |
tree | 0ecec522b99135c0b6992a93635ce2895f40c672 | |
parent | ae74549239f80ef40e978942b71c08a7e8a09a23 (diff) | |
download | php-git-cf4753691dc55999373d1c576f62ecb298723420.tar.gz |
Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference
Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704
Notice: this fix don't manage monochrome/monovisual values
but just fix the security issue CVE-2014-2497
failing when trying to load such an image
-rw-r--r-- | ext/gd/libgd/gdxpm.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c index 73f86e5df7..b69414e60d 100644 --- a/ext/gd/libgd/gdxpm.c +++ b/ext/gd/libgd/gdxpm.c @@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename) if (ret != XpmSuccess) { return 0; } + number = image.ncolors; + for(i = 0; i < number; i++) { + if (!image.colorTable[i].c_color) { + goto done; + } + } if (!(im = gdImageCreate(image.width, image.height))) { goto done; } - number = image.ncolors; colors = (int *) safe_emalloc(number, sizeof(int), 0); for (i = 0; i < number; i++) { switch (strlen (image.colorTable[i].c_color)) { |