diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/gd/gd.c | 13 | ||||
-rw-r--r-- | ext/gd/tests/imageloadfont_invalid.phpt | 26 |
3 files changed, 41 insertions, 0 deletions
@@ -2,6 +2,8 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ?? 2008, Version 4.4.9 - Updated PCRE to version 7.7. (Nuno) +- Fixed crash in imageloadfont when an invalid font is given + (discovered by CzechSec, fixed by Pierre) 03 Jan 2008, Version 4.4.8 - Improved fix for MOPB-02-2007. (Ilia) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index d92d4d85b5..40562112be 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -669,6 +669,19 @@ PHP_FUNCTION(imageloadfont) body_size = font->w * font->h * font->nchars; } + if (overflow2(font->nchars, font->h)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (overflow2(font->nchars * font->h, font->w )) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (body_size != body_size_check) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font"); efree(font); diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt new file mode 100644 index 0000000000..f2de5f9f23 --- /dev/null +++ b/ext/gd/tests/imageloadfont_invalid.phpt @@ -0,0 +1,26 @@ +--TEST-- +imageloadfont() function crashes +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); + if (!GD_BUNDLED) die('skip external GD libraries always fail'); +?> +--FILE-- +<?php +$filename = dirname(__FILE__) . '/font.gdf'; +$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00"; +$fp = fopen($filename, 'wb'); +fwrite($fp, $bin); +fclose($fp); + +$image = imagecreatetruecolor(50, 20); +$font = imageloadfont($filename); +$black = imagecolorallocate($image, 0, 0, 0); +imagestring($image, $font, 0, 0, "Hello", $black); +?> +--EXPECTF-- + +Warning: imageloadfont() [%s]: gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %simageloadfont_invalid.php on line %d + +Warning: imageloadfont() [%s]: Error reading font, invalid font header in %simageloadfont_invalid.php on line %d |