1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
Backported for 5.4 from 5.5.35 by Remi Collet
Binary diff removed
From b15f0ecc0f34364fd7ce924b4164be4e8198ff93 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Apr 2016 22:20:22 -0700
Subject: [PATCH] Fix for bug #71912 (libgd: signedness vulnerability)
---
ext/gd/libgd/gd_gd2.c | 3 +++
ext/gd/tests/bug71912.phpt | 16 ++++++++++++++++
ext/gd/tests/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
3 files changed, 19 insertions(+)
create mode 100644 ext/gd/tests/bug71912.phpt
create mode 100644 ext/gd/tests/invalid_neg_size.gd2
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index efc6ef4..1794ca9 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
if (gdGetInt(&cidx[i].size, in) != 1) {
goto fail1;
}
+ if (cidx[i].offset < 0 || cidx[i].size < 0) {
+ goto fail1;
+ }
}
*chunkIdx = cidx;
}
From 61c7a06e7c19d9b408db1129efa0959a0acbf0b1 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 26 Apr 2016 22:54:58 -0700
Subject: [PATCH] Fix memory leak
---
ext/gd/libgd/gd_gd2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 1794ca9..6726fee 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -145,12 +145,15 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
cidx = gdCalloc(sidx, 1);
for (i = 0; i < nc; i++) {
if (gdGetInt(&cidx[i].offset, in) != 1) {
+ gdFree(cidx);
goto fail1;
}
if (gdGetInt(&cidx[i].size, in) != 1) {
+ gdFree(cidx);
goto fail1;
}
if (cidx[i].offset < 0 || cidx[i].size < 0) {
+ gdFree(cidx);
goto fail1;
}
}
|
