Backported from 5.5.37 for 5.4 by Remi Collet From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Sat, 18 Jun 2016 20:15:10 +0200 Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow --- ext/gd/libgd/gd_gd2.c | 7 +++++++ ext/gd/tests/bug72339.gd | Bin 0 -> 67108882 bytes ext/gd/tests/bug72339.phpt | 11 +++++++++++ 3 files changed, 18 insertions(+) create mode 100644 ext/gd/tests/bug72339.gd create mode 100644 ext/gd/tests/bug72339.phpt diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index 6726fee..63e3aef 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in if (gd2_compressed(*fmt)) { nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); + if (overflow2(sidx, nc)) { + goto fail1; + } sidx = sizeof(t_chunk_info) * nc; if (sidx <= 0) { goto fail1; } cidx = gdCalloc(sidx, 1); + if (cidx == NULL) { + goto fail1; + } + for (i = 0; i < nc; i++) { if (gdGetInt(&cidx[i].offset, in) != 1) { gdFree(cidx); diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt new file mode 100644 index 0000000..763ae71 --- /dev/null +++ b/ext/gd/tests/bug72339.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %sbug72339.php on line %d + +Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 20 Jun 2016 22:54:55 -0700 Subject: [PATCH] fix tests --- ext/gd/libgd/gd_gd2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index 63e3aef..e954aaf 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -138,7 +138,7 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in if (gd2_compressed(*fmt)) { nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); - if (overflow2(sidx, nc)) { + if (overflow2(sizeof(t_chunk_info), nc)) { goto fail1; } sidx = sizeof(t_chunk_info) * nc; From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 21 Jun 2016 09:42:38 +0200 Subject: [PATCH] remove the huge test file, generate it on the fly instead --- ext/gd/tests/bug72339.gd | Bin 67108882 -> 0 bytes ext/gd/tests/bug72339.phpt | 24 +++++++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) delete mode 100644 ext/gd/tests/bug72339.gd diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt index 763ae71..2c30ee8 100644 --- a/ext/gd/tests/bug72339.phpt +++ b/ext/gd/tests/bug72339.phpt @@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow --SKIPIF-- --FILE-- - + --EXPECTF-- Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in %sbug72339.php on line %d