diff options
| author | Remi Collet <remi@php.net> | 2013-05-06 10:00:45 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2013-05-06 10:00:45 +0200 |
| commit | 9480de29db25982c75a7317ba779eec3d3847781 (patch) | |
| tree | e9ba55db5fbd5ac45fe6c02762bd1fe3321fe9a6 | |
| parent | 4cea61a0fa16fba72e496d72b6c2aa8934d1b032 (diff) | |
| download | php-git-9480de29db25982c75a7317ba779eec3d3847781.tar.gz | |
Revert removal of overflow2 use in gd.c
Function provided by gd_security with bundled libgd
Function provided by gd_compat with system libgd
This fix failed test imageloadfont_invalid.phpt
This test now also pass with system libgd
| -rw-r--r-- | ext/gd/gd.c | 7 | ||||
| -rw-r--r-- | ext/gd/gd_compat.c | 16 | ||||
| -rw-r--r-- | ext/gd/gd_compat.h | 6 | ||||
| -rw-r--r-- | ext/gd/tests/imageloadfont_invalid.phpt | 1 |
4 files changed, 24 insertions, 6 deletions
diff --git a/ext/gd/gd.c b/ext/gd/gd.c index d463444120..d6d2848d41 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -57,9 +57,8 @@ # include <X11/xpm.h> #endif -#ifndef HAVE_GD_BUNDLED # include "gd_compat.h" -#endif /* HAVE_GD_BUNDLED */ + static int le_gd, le_gd_font; #if HAVE_LIBT1 @@ -1468,9 +1467,7 @@ PHP_FUNCTION(imageloadfont) body_size = font->w * font->h * font->nchars; } - if ((font->nchars <= 0 || font->h <= 0 || font->w <= 0 ) || \ - (font->nchars > INT_MAX / font->h) || \ - (font->nchars * font->h > INT_MAX / font->w)) { + if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); efree(font); php_stream_close(stream); diff --git a/ext/gd/gd_compat.c b/ext/gd/gd_compat.c index 35b6457858..14538d401f 100644 --- a/ext/gd/gd_compat.c +++ b/ext/gd/gd_compat.c @@ -10,6 +10,7 @@ #endif #include "gd_compat.h" +#include <TSRM.h> #ifdef HAVE_GD_JPG int gdJpegGetVersionInt() @@ -45,3 +46,18 @@ const char * gdPngGetVersionString() } #endif +int overflow2(int a, int b) +{ + TSRMLS_FETCH(); + + if(a <= 0 || b <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully\n"); + return 1; + } + if(a > INT_MAX / b) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); + return 1; + } + return 0; +} + diff --git a/ext/gd/gd_compat.h b/ext/gd/gd_compat.h index ea812ea2c4..db757f5988 100644 --- a/ext/gd/gd_compat.h +++ b/ext/gd/gd_compat.h @@ -1,8 +1,14 @@ #ifndef GD_COMPAT_H #define GD_COMPAT_H 1 +#ifndef HAVE_GD_BUNDLED +/* from gd_compat.c */ const char * gdPngGetVersionString(); const char * gdJpegGetVersionString(); int gdJpegGetVersionInt(); +#endif + +/* from gd_compat.c of libgd/gd_security.c */ +int overflow2(int a, int b); #endif /* GD_COMPAT_H */ diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt index 07bf150ac8..6cf0e336b6 100644 --- a/ext/gd/tests/imageloadfont_invalid.phpt +++ b/ext/gd/tests/imageloadfont_invalid.phpt @@ -3,7 +3,6 @@ imageloadfont() function crashes --SKIPIF-- <?php if (!extension_loaded('gd')) die("skip gd extension not available\n"); - if (!GD_BUNDLED) die('skip external GD libraries always fail'); ?> --FILE-- <?php |