diff options
| author | Anatol Belski <ab@php.net> | 2017-01-17 09:35:26 +0100 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2017-01-17 09:35:26 +0100 |
| commit | cea050b8da98e0335fb24919814603e7c130ae82 (patch) | |
| tree | 67f19bbdf0e45aae06cd77f830801378032b7ecd /ext/gd | |
| parent | abe094dde848713e82a4f60f747f860ca3c3aa8e (diff) | |
| parent | 5d07438cb3d72b7d6d3675cdccf5eef361e6e591 (diff) | |
| download | php-git-cea050b8da98e0335fb24919814603e7c130ae82.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fix #73869: Signed Integer Overflow gd_io.c
Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
Diffstat (limited to 'ext/gd')
| -rw-r--r-- | ext/gd/libgd/gd_gd2.c | 12 | ||||
| -rw-r--r-- | ext/gd/tests/bug73868.gd2 | bin | 0 -> 1050 bytes | |||
| -rw-r--r-- | ext/gd/tests/bug73868.phpt | 18 | ||||
| -rw-r--r-- | ext/gd/tests/bug73869.phpt | 19 | ||||
| -rw-r--r-- | ext/gd/tests/bug73869a.gd2 | bin | 0 -> 92 bytes | |||
| -rw-r--r-- | ext/gd/tests/bug73869b.gd2 | bin | 0 -> 18 bytes |
6 files changed, 47 insertions, 2 deletions
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index d06f328425..3eba6b3054 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in GD2_DBG(php_gd_error("%d Chunks vertically", *ncy)); if (gd2_compressed(*fmt)) { + if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { + GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); + goto fail1; + } nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); if (overflow2(sizeof(t_chunk_info), nc)) { @@ -340,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) for (x = xlo; x < xhi; x++) { if (im->trueColor) { if (!gdGetInt(&im->tpixels[y][x], in)) { - im->tpixels[y][x] = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } } else { int ch; if (!gdGetByte(&ch, in)) { - ch = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } im->pixels[y][x] = ch; } diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2 Binary files differnew file mode 100644 index 0000000000..1c797d1acf --- /dev/null +++ b/ext/gd/tests/bug73868.gd2 diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt new file mode 100644 index 0000000000..135be7917b --- /dev/null +++ b/ext/gd/tests/bug73868.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2')); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): gd2: EOF while reading + in %s on line %d + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE=== diff --git a/ext/gd/tests/bug73869.phpt b/ext/gd/tests/bug73869.phpt new file mode 100644 index 0000000000..3cc10a4201 --- /dev/null +++ b/ext/gd/tests/bug73869.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #73869 (Signed Integer Overflow gd_io.c) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2')); +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2')); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE===
\ No newline at end of file diff --git a/ext/gd/tests/bug73869a.gd2 b/ext/gd/tests/bug73869a.gd2 Binary files differnew file mode 100644 index 0000000000..5060bfde3a --- /dev/null +++ b/ext/gd/tests/bug73869a.gd2 diff --git a/ext/gd/tests/bug73869b.gd2 b/ext/gd/tests/bug73869b.gd2 Binary files differnew file mode 100644 index 0000000000..8600126bec --- /dev/null +++ b/ext/gd/tests/bug73869b.gd2 |