diff options
author | Remi Collet <remi@php.net> | 2014-12-13 09:03:44 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-04-05 17:33:52 -0700 |
commit | afbf725e7380dfb3ff43a993e43abd9759a66c2b (patch) | |
tree | d166c1d2fb2e3936ee637341a5801036b9393d9f | |
parent | caecd88237f260c78428feb0acc6578618fa231b (diff) | |
download | php-git-afbf725e7380dfb3ff43a993e43abd9759a66c2b.tar.gz |
Fix bug #68601 buffer read overflow in gd_gif_in.c
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/gd/libgd/gd_gif_in.c | 11 |
2 files changed, 12 insertions, 2 deletions
@@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015 PHP 5.4.40 +- GD: + . Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Remi) + - SOAP: . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (Dmitry) diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c index ee88a2fc8e..491e9422db 100644 --- a/ext/gd/libgd/gd_gif_in.c +++ b/ext/gd/libgd/gd_gif_in.c @@ -72,8 +72,10 @@ static struct { #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) +#define CSD_BUF_SIZE 280 + typedef struct { - unsigned char buf[280]; + unsigned char buf[CSD_BUF_SIZE]; int curbit, lastbit, done, last_byte; } CODE_STATIC_DATA; @@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD ret = 0; for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) - ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j; + if (i < CSD_BUF_SIZE * 8) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + } else { + ret = -1; + break; + } scd->curbit += code_size; return ret; |