diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-10-13 11:10:02 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-10-13 11:10:02 +0200 |
| commit | cc08cbc84d46933c1e9e0149633f1ed5d19e45e9 (patch) | |
| tree | 7cb5762821bae03e18ad9a64b5c1ec6a7c75be80 | |
| parent | 43ccf23d700ae780451e257f5a66d4210f82f026 (diff) | |
| download | php-git-cc08cbc84d46933c1e9e0149633f1ed5d19e45e9.tar.gz | |
Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf
We make sure to never pass a negative `rlen` as size to memcpy().
Cf. <https://github.com/libgd/libgd/commit/53110871>.
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_io_dp.c | 2 |
2 files changed, 2 insertions, 1 deletions
@@ -7,6 +7,7 @@ PHP NEWS . Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb) . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb) + . Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb) - SOAP: . Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol) diff --git a/ext/gd/libgd/gd_io_dp.c b/ext/gd/libgd/gd_io_dp.c index bfeb4cb4bb..4dcedde8cc 100644 --- a/ext/gd/libgd/gd_io_dp.c +++ b/ext/gd/libgd/gd_io_dp.c @@ -237,7 +237,7 @@ static int dynamicGetbuf (gdIOCtxPtr ctx, void *buf, int len) if (remain >= len) { rlen = len; } else { - if (remain == 0) { + if (remain <= 0) { return EOF; } rlen = remain; |