summaryrefslogtreecommitdiffstats
path: root/php-bug81739.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2022-10-26 12:12:29 +0200
committerRemi Collet <remi@php.net>2022-10-26 12:12:29 +0200
commit8c834989bed43ad4ee8f82cc4704acfdb2adf774 (patch)
tree9317bd8f378bab011c5efe5063af2b86dbe83b03 /php-bug81739.patch
parent50cd071034ce4430352d4d9bdcd0fb2a5c666ef5 (diff)
add upstream fix for CVE-2022-31630 and CVE-2022-37454
Diffstat (limited to 'php-bug81739.patch')
-rw-r--r--php-bug81739.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/php-bug81739.patch b/php-bug81739.patch
new file mode 100644
index 0000000..f76e8c0
--- /dev/null
+++ b/php-bug81739.patch
@@ -0,0 +1,70 @@
+From d50532be91f054ef9beb1afca2ea94f4a70f7c4d Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 18 Oct 2022 12:13:16 +0200
+Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in
+ imageloadfont()
+
+If we swap the byte order of the relevant header bytes, we need to make
+sure again that the following multiplication does not overflow.
+---
+ ext/gd/gd.c | 7 +++++++
+ ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+ create mode 100644 ext/gd/tests/bug81739.phpt
+
+diff --git a/ext/gd/gd.c b/ext/gd/gd.c
+index 336a73969267..fde93bba496f 100644
+--- a/ext/gd/gd.c
++++ b/ext/gd/gd.c
+@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont)
+ font->w = FLIPWORD(font->w);
+ font->h = FLIPWORD(font->h);
+ font->nchars = FLIPWORD(font->nchars);
++ if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
++ php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header");
++ efree(font);
++ php_stream_close(stream);
++ RETURN_FALSE;
++ }
+ body_size = font->w * font->h * font->nchars;
+ }
+
+@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont)
+ RETURN_FALSE;
+ }
+
++ ZEND_ASSERT(body_size > 0);
+ font->data = emalloc(body_size);
+ b = 0;
+ while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) {
+diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt
+new file mode 100644
+index 000000000000..cc2a90381bab
+--- /dev/null
++++ b/ext/gd/tests/bug81739.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++Bug #81739 (OOB read due to insufficient validation in imageloadfont())
++--SKIPIF--
++<?php
++if (!extension_loaded("gd")) die("skip gd extension not available");
++?>
++--FILE--
++<?php
++$s = fopen(__DIR__ . "/font.font", "w");
++// header without character data
++fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00");
++fclose($s);
++var_dump(imageloadfont(__DIR__ . "/font.font"));
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__ . "/font.font");
++?>
++--EXPECTF--
++Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
++ in %s on line %d
++
++Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d
++bool(false)
+\ No newline at end of file