Fix for bug #71912 (libgd: signedness vulnerability)

3 files changed, 19 insertions, 0 deletions

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index efc6ef47af..1794ca9e5a 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 			if (gdGetInt(&cidx[i].size, in) != 1) {
 				goto fail1;
 			}
+			if (cidx[i].offset < 0 || cidx[i].size < 0) {
+				goto fail1;
+			}
 		}
 		*chunkIdx = cidx;
 	}
diff --git a/ext/gd/tests/bug71912.phpt b/ext/gd/tests/bug71912.phpt
new file mode 100644
index 0000000000..33b079d937
--- /dev/null
+++ b/ext/gd/tests/bug71912.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #71912 (libgd: signedness vulnerability)
+--SKIPIF--
+<?php
+        if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+        if(!function_exists('imagecreatefromgd2')) die('skip imagecreatefromgd2() not available');
+?>
+--FILE--
+<?php
+imagecreatefromgd2(__DIR__."/invalid_neg_size.gd2");
+?>
+OK
+--EXPECTF--
+
+Warning: imagecreatefromgd2(): '%s/invalid_neg_size.gd2' is not a valid GD2 file in %s/bug71912.php on line %d
+OK
\ No newline at end of file
diff --git a/ext/gd/tests/invalid_neg_size.gd2 b/ext/gd/tests/invalid_neg_size.gd2
new file mode 100644
index 0000000000..3075f15a81
--- /dev/null
+++ b/ext/gd/tests/invalid_neg_size.gd2