diff options
author | Christoph M. Becker <cmb@php.net> | 2016-08-02 18:41:20 +0200 |
---|---|---|
committer | Christoph M. Becker <cmb@php.net> | 2016-08-02 18:43:37 +0200 |
commit | f5622f5c8763fe180310ed7a47b999f160d7750b (patch) | |
tree | a2d615b014650171fb228300e99c493fe49de33f | |
parent | e95625f47ee0a8b969c268c03a33a2a67ebbefce (diff) | |
download | php-git-f5622f5c8763fe180310ed7a47b999f160d7750b.tar.gz |
Fix #72709: imagesetstyle() causes OOB read for empty $styles
Calling imagesetstyle() with an empty $styles array caused gdImageSetStyle()
to be called with `noOfPixels==0`, what could have lead to OOB reads.
Actually, this issue will be fixed in libgd, but to avoid issues when older
libgd is in use, we simply disallow passing an empty $styles array to
imagesetstyle(), what wouldn't serve a useful purpose anyway.
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/gd/gd.c | 9 | ||||
-rw-r--r-- | ext/gd/tests/bug72709.phpt | 18 |
3 files changed, 27 insertions, 1 deletions
@@ -42,6 +42,7 @@ PHP NEWS blendingmode). (cmb) . Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c). (cmb) . Fixed bug #68712 (suspicious if-else statements). (cmb) + . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb) - Intl: . Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 533dc502ca..052d568d76 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1555,6 +1555,7 @@ PHP_FUNCTION(imagesetstyle) int * stylearr; int index; HashPosition pos; + int num_styles; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ra", &IM, &styles) == FAILURE) { return; @@ -1562,8 +1563,14 @@ PHP_FUNCTION(imagesetstyle) ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + num_styles = zend_hash_num_elements(HASH_OF(styles)); + if (num_styles == 0) { + php_error_docref(NULL, E_WARNING, "styles array must not be empty"); + RETURN_FALSE; + } + /* copy the style values in the stylearr */ - stylearr = safe_emalloc(sizeof(int), zend_hash_num_elements(HASH_OF(styles)), 0); + stylearr = safe_emalloc(sizeof(int), num_styles, 0); zend_hash_internal_pointer_reset_ex(HASH_OF(styles), &pos); diff --git a/ext/gd/tests/bug72709.phpt b/ext/gd/tests/bug72709.phpt new file mode 100644 index 0000000000..1c5b1f4ae0 --- /dev/null +++ b/ext/gd/tests/bug72709.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72709 (imagesetstyle() causes OOB read for empty $styles) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip ext/gd not available'); +?> +--FILE-- +<?php +$im = imagecreatetruecolor(1, 1); +var_dump(imagesetstyle($im, array())); +imagesetpixel($im, 0, 0, IMG_COLOR_STYLED); +imagedestroy($im); +?> +====DONE==== +--EXPECTF-- +Warning: imagesetstyle(): styles array must not be empty in %s%ebug72709.php on line %d +bool(false) +====DONE==== |