summaryrefslogtreecommitdiffstats
path: root/bug74435.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 10:08:47 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 10:08:47 +0100
commit6a75ec7b86fc3f19b758a0e6525e9df7eb87a9f9 (patch)
tree3063e2862ede5cb869233359d021731e3b156e90 /bug74435.patch
parentf6bab89b5b2345cac08d761e2fd93f7d18da8aea (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug74435.patch')
-rw-r--r--bug74435.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/bug74435.patch b/bug74435.patch
new file mode 100644
index 0000000..968078c
--- /dev/null
+++ b/bug74435.patch
@@ -0,0 +1,35 @@
+Adapted for 5.4.13
+With test removed (binary patch not handled)
+
+From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 20 Jun 2017 16:45:42 +0200
+Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory
+
+The stack allocated color map buffers were not zeroed before usage, and
+so undefined palette indexes could cause information leakage.
+---
+ ext/gd/libgd/gd_gif_in.c | 3 +++
+ ext/gd/tests/bug74435.gif | Bin 0 -> 11464 bytes
+ ext/gd/tests/bug74435.phpt | 27 +++++++++++++++++++++++++++
+ 3 files changed, 30 insertions(+)
+ create mode 100644 ext/gd/tests/bug74435.gif
+ create mode 100644 ext/gd/tests/bug74435.phpt
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 74b7493..76ba152 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
+ int haveGlobalColormap;
+ gdImagePtr im = 0;
+
++ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
++ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
++
+ /*1.4//imageNumber = 1; */
+ if (! ReadOK(fd,buf,6)) {
+ return 0;
+--
+2.1.4
+