Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.

(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)

3 files changed, 24 insertions, 2 deletions

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index d06f328425..196b7858dc 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -340,12 +340,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 					for (x = xlo; x < xhi; x++) {
 						if (im->trueColor) {
 							if (!gdGetInt(&im->tpixels[y][x], in)) {
-								im->tpixels[y][x] = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 						} else {
 							int ch;
 							if (!gdGetByte(&ch, in)) {
-								ch = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 							im->pixels[y][x] = ch;
 						}
diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2
new file mode 100644
index 0000000000..1c797d1acf
--- /dev/null
+++ b/ext/gd/tests/bug73868.gd2
diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt
new file mode 100644
index 0000000000..135be7917b
--- /dev/null
+++ b/ext/gd/tests/bug73868.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): gd2: EOF while reading
+ in %s on line %d
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===