Fix #73869: Signed Integer Overflow gd_io.cphp-7.1.1 PHP-7.1.1

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. We have to avoid that, and also make sure that either chunk count is actually greater than zero. If illegal chunk counts are detected, we bail out from reading the image. (cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
author: Christoph M. Becker <cmbecker69@gmx.de> 2016-12-17 17:06:58 +0100
committer: Joe Watkins <krakjoe@php.net> 2017-01-17 20:42:56 +0000
commit: 9abbc3cc6d0f448435ca38bef694f671bf7303d8 (patch)
tree: 9bab56f8d4d0647b5902be9ecb9ab011650a156e /ext/gd/tests/bug73869a.gd2
parent: c95dcc3bb29df76b8656c960dbfd80b0720ffde8 (diff)
download: php-git-PHP-7.1.1.tar.gz
1 files changed, 0 insertions, 0 deletions
diff --git a/ext/gd/tests/bug73869a.gd2 b/ext/gd/tests/bug73869a.gd2
new file mode 100644
index 0000000000..5060bfde3a
--- /dev/null
+++ b/ext/gd/tests/bug73869a.gd2
author	Christoph M. Becker <cmbecker69@gmx.de>	2016-12-17 17:06:58 +0100
committer	Joe Watkins <krakjoe@php.net>	2017-01-17 20:42:56 +0000
commit	9abbc3cc6d0f448435ca38bef694f671bf7303d8 (patch)
tree	9bab56f8d4d0647b5902be9ecb9ab011650a156e /ext/gd/tests/bug73869a.gd2
parent	c95dcc3bb29df76b8656c960dbfd80b0720ffde8 (diff)
download	php-git-PHP-7.1.1.tar.gz