diff options
-rw-r--r-- | ext/gd/libgd/gd_gd2.c | 4 | ||||
-rw-r--r-- | ext/gd/tests/bug73869.phpt | 19 | ||||
-rw-r--r-- | ext/gd/tests/bug73869a.gd2 | bin | 0 -> 92 bytes | |||
-rw-r--r-- | ext/gd/tests/bug73869b.gd2 | bin | 0 -> 18 bytes |
4 files changed, 23 insertions, 0 deletions
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index 196b7858dc..3eba6b3054 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in GD2_DBG(php_gd_error("%d Chunks vertically", *ncy)); if (gd2_compressed(*fmt)) { + if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { + GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); + goto fail1; + } nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); if (overflow2(sizeof(t_chunk_info), nc)) { diff --git a/ext/gd/tests/bug73869.phpt b/ext/gd/tests/bug73869.phpt new file mode 100644 index 0000000000..3cc10a4201 --- /dev/null +++ b/ext/gd/tests/bug73869.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #73869 (Signed Integer Overflow gd_io.c) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2')); +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2')); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE===
\ No newline at end of file diff --git a/ext/gd/tests/bug73869a.gd2 b/ext/gd/tests/bug73869a.gd2 Binary files differnew file mode 100644 index 0000000000..5060bfde3a --- /dev/null +++ b/ext/gd/tests/bug73869a.gd2 diff --git a/ext/gd/tests/bug73869b.gd2 b/ext/gd/tests/bug73869b.gd2 Binary files differnew file mode 100644 index 0000000000..8600126bec --- /dev/null +++ b/ext/gd/tests/bug73869b.gd2 |