summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRemi Collet <remi@php.net>2014-12-13 09:03:44 +0100
committerStanislav Malyshev <stas@php.net>2015-04-05 17:33:52 -0700
commitafbf725e7380dfb3ff43a993e43abd9759a66c2b (patch)
treed166c1d2fb2e3936ee637341a5801036b9393d9f
parentcaecd88237f260c78428feb0acc6578618fa231b (diff)
downloadphp-git-afbf725e7380dfb3ff43a993e43abd9759a66c2b.tar.gz
Fix bug #68601 buffer read overflow in gd_gif_in.c
Diffstat
-rw-r--r--NEWS3
-rw-r--r--ext/gd/libgd/gd_gif_in.c11
2 files changed, 12 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 365615418d..7596b002aa 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2015 PHP 5.4.40
+- GD:
+ . Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Remi)
+
- SOAP:
. Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize()
with SoapFault). (Dmitry)
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index ee88a2fc8e..491e9422db 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -72,8 +72,10 @@ static struct {
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+#define CSD_BUF_SIZE 280
+
typedef struct {
- unsigned char buf[280];
+ unsigned char buf[CSD_BUF_SIZE];
int curbit, lastbit, done, last_byte;
} CODE_STATIC_DATA;
@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
ret = 0;
for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+ if (i < CSD_BUF_SIZE * 8) {
+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+ } else {
+ ret = -1;
+ break;
+ }
scd->curbit += code_size;
return ret;
View Lorry Controller Status