Fix bug #67730 - Null byte injection possible with imagexxx functions

author: Stanislav Malyshev <stas@php.net> 2014-08-18 22:49:10 -0700
committer: Stanislav Malyshev <stas@php.net> 2014-08-18 22:49:10 -0700
commit: 706aefb78112a44d4932d4c9430c6a898696f51f (patch)
tree: 6fc760a5341fbc6814009a6043b5038d53675887
parent: 529da0f74c1a230d0656799efc73a387392dbc10 (diff)
download: php-git-706aefb78112a44d4932d4c9430c6a898696f51f.tar.gz
2 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index cd34e9e54e..a3a5268c07 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
     (CVE-2014-2497) (Remi)
+  . Fixed bug #67730 (Null byte injection possible with imagexxx functions).
+    (CVE-2014-5120) (Ryan Mauger)
 
 - Milter:
   . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike)
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index bff691fad2..eafbab5896 100644
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 				RETURN_FALSE;
 			}
 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+				RETURN_FALSE;
+			}
+
 			stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
 			if (stream == NULL) {
 				RETURN_FALSE;
author	Stanislav Malyshev <stas@php.net>	2014-08-18 22:49:10 -0700
committer	Stanislav Malyshev <stas@php.net>	2014-08-18 22:49:10 -0700
commit	706aefb78112a44d4932d4c9430c6a898696f51f (patch)
tree	6fc760a5341fbc6814009a6043b5038d53675887
parent	529da0f74c1a230d0656799efc73a387392dbc10 (diff)
download	php-git-706aefb78112a44d4932d4c9430c6a898696f51f.tar.gz