diff options
author | Stanislav Malyshev <stas@php.net> | 2016-04-18 22:20:22 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-04-18 22:24:16 -0700 |
commit | b15f0ecc0f34364fd7ce924b4164be4e8198ff93 (patch) | |
tree | 867046a89c7b4fd0019c21b0c66ec5ae0b7392f4 | |
parent | 8a4d164c2b33e7a89af13762dbc09941df14a035 (diff) | |
download | php-git-b15f0ecc0f34364fd7ce924b4164be4e8198ff93.tar.gz |
Fix for bug #71912 (libgd: signedness vulnerability)
-rw-r--r-- | ext/gd/libgd/gd_gd2.c | 3 | ||||
-rw-r--r-- | ext/gd/tests/bug71912.phpt | 16 | ||||
-rw-r--r-- | ext/gd/tests/invalid_neg_size.gd2 | bin | 0 -> 1676 bytes |
3 files changed, 19 insertions, 0 deletions
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index efc6ef47af..1794ca9e5a 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in if (gdGetInt(&cidx[i].size, in) != 1) { goto fail1; } + if (cidx[i].offset < 0 || cidx[i].size < 0) { + goto fail1; + } } *chunkIdx = cidx; } diff --git a/ext/gd/tests/bug71912.phpt b/ext/gd/tests/bug71912.phpt new file mode 100644 index 0000000000..33b079d937 --- /dev/null +++ b/ext/gd/tests/bug71912.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #71912 (libgd: signedness vulnerability) +--SKIPIF-- +<?php + if(!extension_loaded('gd')){ die('skip gd extension not available'); } + if(!function_exists('imagecreatefromgd2')) die('skip imagecreatefromgd2() not available'); +?> +--FILE-- +<?php +imagecreatefromgd2(__DIR__."/invalid_neg_size.gd2"); +?> +OK +--EXPECTF-- + +Warning: imagecreatefromgd2(): '%s/invalid_neg_size.gd2' is not a valid GD2 file in %s/bug71912.php on line %d +OK
\ No newline at end of file diff --git a/ext/gd/tests/invalid_neg_size.gd2 b/ext/gd/tests/invalid_neg_size.gd2 Binary files differnew file mode 100644 index 0000000000..3075f15a81 --- /dev/null +++ b/ext/gd/tests/invalid_neg_size.gd2 |