diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/gd/gd_ctx.c | 5 |
2 files changed, 7 insertions, 0 deletions
@@ -16,6 +16,8 @@ PHP NEWS - GD: . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497) (Remi) + . Fixed bug #67730 (Null byte injection possible with imagexxx functions). + (CVE-2014-5120) (Ryan Mauger) - Milter: . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c index bff691fad2..eafbab5896 100644 --- a/ext/gd/gd_ctx.c +++ b/ext/gd/gd_ctx.c @@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, RETURN_FALSE; } } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); + RETURN_FALSE; + } + stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); if (stream == NULL) { RETURN_FALSE; |