diff options
| author | Anatol Belski <ab@php.net> | 2014-09-19 20:15:56 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2014-09-19 20:15:56 +0200 |
| commit | f6c02239caa84b0cf0ed1ce3fecc87cd0008e413 (patch) | |
| tree | ba0072401f88d15a1dc5f325d060c298041b50ce | |
| parent | c343ca4efba7e600f7d20c73fde34dbda8192e48 (diff) | |
| parent | 6213d9fc91de457b08e574a0f1ac8073eb948b17 (diff) | |
| download | php-git-f6c02239caa84b0cf0ed1ce3fecc87cd0008e413.tar.gz | |
Merge branch 'PHP-5.6'
* PHP-5.6:
fix possible array underflow
Conflicts:
ext/standard/image.c
| -rw-r--r-- | ext/standard/image.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ext/standard/image.c b/ext/standard/image.c index 5aa7b7e84a..54159e3785 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -366,8 +366,8 @@ static unsigned short php_read2(php_stream * stream TSRMLS_DC) { unsigned char a[2]; - /* just return 0 if we hit the end-of-file */ - if((php_stream_read(stream, (char*)a, sizeof(a))) != sizeof(a)) return 0; + /* return 0 if we couldn't read enough data */ + if((php_stream_read(stream, a, sizeof(a))) < sizeof(a)) return 0; return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]); } @@ -647,7 +647,7 @@ static struct gfxinfo *php_handle_jpc(php_stream * stream TSRMLS_DC) #endif result->channels = php_read2(stream TSRMLS_CC); /* Csiz */ - if (result->channels == 0 || result->channels > 256) { + if (result->channels == 0 && php_stream_eof(stream) || result->channels > 256) { efree(result); return NULL; } |