From 6a75ec7b86fc3f19b758a0e6525e9df7eb87a9f9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 1 Mar 2018 10:08:47 +0100 Subject: fix #73549: Use after free when stream is passed to imagepng fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response --- bug73869.patch | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 bug73869.patch (limited to 'bug73869.patch') diff --git a/bug73869.patch b/bug73869.patch new file mode 100644 index 0000000..6e5b08e --- /dev/null +++ b/bug73869.patch @@ -0,0 +1,45 @@ +Fix for CVE-2017-10168 +Backported for 5.4 without test and binary patch + + +From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Sat, 17 Dec 2016 17:06:58 +0100 +Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c + +GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 +byte unsigned). These values are multiplied and assigned to an int when +reading the image, what can cause integer overflows. We have to avoid +that, and also make sure that either chunk count is actually greater +than zero. If illegal chunk counts are detected, we bail out from +reading the image. + +(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1) +--- + ext/gd/libgd/gd_gd2.c | 4 ++++ + ext/gd/tests/bug73869.phpt | 19 +++++++++++++++++++ + ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes + ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes + 4 files changed, 23 insertions(+) + create mode 100644 ext/gd/tests/bug73869.phpt + create mode 100644 ext/gd/tests/bug73869a.gd2 + create mode 100644 ext/gd/tests/bug73869b.gd2 + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 196b785..3eba6b3 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + GD2_DBG(php_gd_error("%d Chunks vertically", *ncy)); + + if (gd2_compressed(*fmt)) { ++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { ++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); ++ goto fail1; ++ } + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); + if (overflow2(sizeof(t_chunk_info), nc)) { +-- +2.1.4 + -- cgit