Merge branch 'PHP-5.6'

* PHP-5.6: NEWS NEWS Fix bug #68601 buffer read overflow in gd_gif_in.c
author: Remi Collet <remi@php.net> 2014-12-13 09:06:24 +0100
committer: Remi Collet <remi@php.net> 2014-12-13 09:06:24 +0100
commit: de0afce55b085f9983f9d49ced5244f748b30750 (patch)
tree: f0154a6b2f86533283b5d458bd0adff459c878bd
parent: 3893c1fc3d221f3954115de638db4be0e03e886c (diff)
parent: 2e5de0c323310bfcbd6e1dba76ec1edeb5e7b6dd (diff)
download: php-git-de0afce55b085f9983f9d49ced5244f748b30750.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index ee88a2fc8e..491e9422db 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -72,8 +72,10 @@ static struct {
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-	unsigned char    buf[280];
+	unsigned char    buf[CSD_BUF_SIZE];
 	int              curbit, lastbit, done, last_byte;
 } CODE_STATIC_DATA;
 
@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
 
 	ret = 0;
 	for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
-		ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+		if (i < CSD_BUF_SIZE * 8) {
+			ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+		} else {
+			ret = -1;
+			break;
+		}
 
 	scd->curbit += code_size;
 	return ret;
author	Remi Collet <remi@php.net>	2014-12-13 09:06:24 +0100
committer	Remi Collet <remi@php.net>	2014-12-13 09:06:24 +0100
commit	de0afce55b085f9983f9d49ced5244f748b30750 (patch)
tree	f0154a6b2f86533283b5d458bd0adff459c878bd
parent	3893c1fc3d221f3954115de638db4be0e03e886c (diff)
parent	2e5de0c323310bfcbd6e1dba76ec1edeb5e7b6dd (diff)
download	php-git-de0afce55b085f9983f9d49ced5244f748b30750.tar.gz