Fix #74435: Buffer over-read into uninitialized memory

The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.

3 files changed, 30 insertions, 0 deletions

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index f41ec8460a..e0f0fe398a 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	int haveGlobalColormap;
 	gdImagePtr im = 0;
 
+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
 	/*1.4//imageNumber = 1; */
 	if (! ReadOK(fd,buf,6)) {
 		return 0;
diff --git a/ext/gd/tests/bug74435.gif b/ext/gd/tests/bug74435.gif
new file mode 100644
index 0000000000..92fbb7ff20
--- /dev/null
+++ b/ext/gd/tests/bug74435.gif
diff --git a/ext/gd/tests/bug74435.phpt b/ext/gd/tests/bug74435.phpt
new file mode 100644
index 0000000000..9d11eb3839
--- /dev/null
+++ b/ext/gd/tests/bug74435.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #74435 (Buffer over-read into uninitialized memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
+var_dump($im);
+$width = imagesx($im);
+$height = imagesy($im);
+for ($i = 0; $i < $width; $i += 16) {
+    for ($j = 0; $j < $height; $j += 16) {
+        if (($index = imagecolorat($im, $i, $j)) >= 2) {
+            list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
+            if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
+                echo "unexpected color at ($i, $j)\n";
+            }
+        }
+    }
+}
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===