1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
--TEST--
Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
--SKIPIF--
<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
--FILE--
<?php
$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd";
$fh = fopen($fname, "w");
fwrite($fh, "gd2\x00");
fwrite($fh, pack("n", 2));
fwrite($fh, pack("n", 1));
fwrite($fh, pack("n", 1));
fwrite($fh, pack("n", 0x40));
fwrite($fh, pack("n", 2));
fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
fclose($fh);
$im = imagecreatefromgd2($fname);
if ($im) {
imagedestroy($im);
}
unlink($fname);
?>
--EXPECTF--
Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
in %sbug72339.php on line %d
Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d
|
