fix #73549: Use after free when stream is passed to imagepng

fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response
author: Remi Collet <remi@remirepo.net> 2018-03-01 09:50:30 +0100
committer: Remi Collet <remi@remirepo.net> 2018-03-01 09:50:30 +0100
commit: 03cb94d7835b8548cd35966c0cf3e10e48808f87 (patch)
tree: 9dd556b7b0c66754ad6ea46395c10c997b1a91f5
parent: b9459ddfb28b45ec827d5d0e2e83ec7def175233 (diff)
9 files changed, 386 insertions, 2 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6f69818
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,9 @@
+clog
+package-*.xml
+*.tgz
+*.tar.gz
+*.tar.bz2
+*.tar.xz
+*.tar.xz.asc
+*.src.rpm
+*/*rpm
diff --git a/bug73549.patch b/bug73549.patch
new file mode 100644
index 0000000..5c39852
--- /dev/null
+++ b/bug73549.patch
@@ -0,0 +1,95 @@
+From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Nov 2016 13:44:30 +0100
+Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng
+
+If a stream is passed to imagepng() or other image output functions,
+opposed to a filename, we must not close this stream.
+---
+ NEWS                       |  3 +++
+ ext/gd/gd_ctx.c            | 18 +++++++++++++++++-
+ ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+ create mode 100644 ext/gd/tests/bug73549.phpt
+
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index 34a9a00..acb96e1 100644
+--- a/ext/gd/gd_ctx.c
++++ b/ext/gd/gd_ctx.c
+@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l)
+ 
+ static void _php_image_stream_ctxfree(struct gdIOCtx *ctx)
+ {
++	if(ctx->data) {
++		ctx->data = NULL;
++	}
++	if(ctx) {
++		efree(ctx);
++	}
++} /* }}} */
++
++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */
++{
+ 	TSRMLS_FETCH();
+ 
+ 	if(ctx->data) {
+@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ 	gdIOCtx *ctx = NULL;
+ 	zval *to_zval = NULL;
+ 	php_stream *stream;
++	int close_stream = 1;
+ 
+ 	/* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp().
+ 	 * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called
+@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ 			if (stream == NULL) {
+ 				RETURN_FALSE;
+ 			}
++			close_stream = 0;
+ 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+ 			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+ 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ 		ctx = emalloc(sizeof(gdIOCtx));
+ 		ctx->putC = _php_image_stream_putc;
+ 		ctx->putBuf = _php_image_stream_putbuf;
+-		ctx->gd_free = _php_image_stream_ctxfree;
++		if (close_stream) {
++			ctx->gd_free = _php_image_stream_ctxfreeandclose;
++		} else {
++			ctx->gd_free = _php_image_stream_ctxfree;
++		}
+ 		ctx->data = (void *)stream;
+ 	}
+ 
+diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt
+new file mode 100644
+index 0000000..e0cc6cf
+--- /dev/null
++++ b/ext/gd/tests/bug73549.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++Bug #73549 (Use after free when stream is passed to imagepng)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available');
++?>
++--FILE--
++<?php
++$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w');
++$im = imagecreatetruecolor(8, 8);
++var_dump(imagepng($im, $stream));
++var_dump($stream);
++?>
++===DONE===
++--EXPECTF--
++bool(true)
++resource(%d) of type (stream)
++===DONE===
++--CLEAN--
++<?php
++unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png');
++?>
+-- 
+2.1.4
+
diff --git a/bug73868.patch b/bug73868.patch
new file mode 100644
index 0000000..6df0a22
--- /dev/null
+++ b/bug73868.patch
@@ -0,0 +1,47 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 18:23:36 +0200
+Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
+
+We must not pretend that there are image data if there are none. Instead
+we fail reading the image file gracefully.
+
+(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
+---
+ ext/gd/libgd/gd_gd2.c      |   8 ++++++--
+ ext/gd/tests/bug73868.gd2  | Bin 0 -> 1050 bytes
+ ext/gd/tests/bug73868.phpt |  18 ++++++++++++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+ create mode 100644 ext/gd/tests/bug73868.gd2
+ create mode 100644 ext/gd/tests/bug73868.phpt
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index d06f328..196b785 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
+ 					for (x = xlo; x < xhi; x++) {
+ 						if (im->trueColor) {
+ 							if (!gdGetInt(&im->tpixels[y][x], in)) {
+-								im->tpixels[y][x] = 0;
++								php_gd_error("gd2: EOF while reading\n");
++								gdImageDestroy(im);
++								return NULL;
+ 							}
+ 						} else {
+ 							int ch;
+ 							if (!gdGetByte(&ch, in)) {
+-								ch = 0;
++								php_gd_error("gd2: EOF while reading\n");
++								gdImageDestroy(im);
++								return NULL;
+ 							}
+ 							im->pixels[y][x] = ch;
+ 						}
+-- 
+2.1.4
+
diff --git a/bug73869.patch b/bug73869.patch
new file mode 100644
index 0000000..6e5b08e
--- /dev/null
+++ b/bug73869.patch
@@ -0,0 +1,45 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 17 Dec 2016 17:06:58 +0100
+Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c
+
+GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
+byte unsigned). These values are multiplied and assigned to an int when
+reading the image, what can cause integer overflows. We have to avoid
+that, and also make sure that either chunk count is actually greater
+than zero. If illegal chunk counts are detected, we bail out from
+reading the image.
+
+(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
+---
+ ext/gd/libgd/gd_gd2.c      |   4 ++++
+ ext/gd/tests/bug73869.phpt |  19 +++++++++++++++++++
+ ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes
+ ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes
+ 4 files changed, 23 insertions(+)
+ create mode 100644 ext/gd/tests/bug73869.phpt
+ create mode 100644 ext/gd/tests/bug73869a.gd2
+ create mode 100644 ext/gd/tests/bug73869b.gd2
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 196b785..3eba6b3 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
+ 	GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
+ 
+ 	if (gd2_compressed(*fmt)) {
++		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++			goto fail1;
++		}
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+ 		if (overflow2(sizeof(t_chunk_info), nc)) {
+-- 
+2.1.4
+
diff --git a/bug74435.patch b/bug74435.patch
new file mode 100644
index 0000000..968078c
--- /dev/null
+++ b/bug74435.patch
@@ -0,0 +1,35 @@
+Adapted for 5.4.13
+With test removed (binary patch not handled)
+
+From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 20 Jun 2017 16:45:42 +0200
+Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory
+
+The stack allocated color map buffers were not zeroed before usage, and
+so undefined palette indexes could cause information leakage.
+---
+ ext/gd/libgd/gd_gif_in.c   |   3 +++
+ ext/gd/tests/bug74435.gif  | Bin 0 -> 11464 bytes
+ ext/gd/tests/bug74435.phpt |  27 +++++++++++++++++++++++++++
+ 3 files changed, 30 insertions(+)
+ create mode 100644 ext/gd/tests/bug74435.gif
+ create mode 100644 ext/gd/tests/bug74435.phpt
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 74b7493..76ba152 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
+ 	int haveGlobalColormap;
+ 	gdImagePtr im = 0;
+ 
++	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
++	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
++
+ 	/*1.4//imageNumber = 1; */
+ 	if (! ReadOK(fd,buf,6)) {
+ 		return 0;
+-- 
+2.1.4
+
diff --git a/bug75571.patch b/bug75571.patch
new file mode 100644
index 0000000..d35ca3a
--- /dev/null
+++ b/bug75571.patch
@@ -0,0 +1,58 @@
+Backported for 5.4 without test and binary patch
+
+From 8d6e9588671136837533fe3785657c31c5b52767 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 29 Nov 2017 18:52:33 +0100
+Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
+ gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+---
+ ext/gd/libgd/gd_gif_in.c   |  10 +++++-----
+ ext/gd/tests/bug75571.gif  | Bin 0 -> 1731 bytes
+ ext/gd/tests/bug75571.phpt |  15 +++++++++++++++
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+ create mode 100644 ext/gd/tests/bug75571.gif
+ create mode 100644 ext/gd/tests/bug75571.phpt
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index e0f0fe3..16776d3 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -261,10 +261,6 @@ terminated:
+ 	if (!im) {
+ 		return 0;
+ 	}
+-	if (!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+ 	/* Check for open colors at the end, so
+ 	   we can reduce colorsTotal and ultimately
+ 	   BitsPerPixel */
+@@ -275,6 +271,10 @@ terminated:
+ 			break;
+ 		}
+ 	}
++	if (!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
+ 	return im;
+ }
+ /* }}} */
+@@ -375,7 +375,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int           i, j, ret;
+-	unsigned char count;
++	int           count;
+ 
+ 	if (flag) {
+ 		scd->curbit = 0;
+-- 
+2.1.4
+
diff --git a/bug75981.patch b/bug75981.patch
new file mode 100644
index 0000000..27af03b
--- /dev/null
+++ b/bug75981.patch
@@ -0,0 +1,68 @@
+From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 20 Feb 2018 15:34:43 -0800
+Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start
+
+---
+ ext/standard/http_fopen_wrapper.c     |  4 ++--
+ ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/http/bug75981.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index ed6adc0..78bd935 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -737,9 +737,9 @@ finish:
+ 								tmp_line, response_code);
+ 				}
+ 			}
+-			if (tmp_line[tmp_line_len - 1] == '\n') {
++			if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
+ 				--tmp_line_len;
+-				if (tmp_line[tmp_line_len - 1] == '\r') {
++				if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
+ 					--tmp_line_len;
+ 				}
+ 			}
+diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
+new file mode 100644
+index 0000000..d415de6
+--- /dev/null
++++ b/ext/standard/tests/http/bug75981.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #75981 (stack-buffer-overflow while parsing HTTP response)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
++--FILE--
++<?php
++require 'server.inc';
++
++$options = [
++  'http' => [
++    'protocol_version' => '1.1',
++    'header' => 'Connection: Close'
++  ],
++];
++
++$ctx = stream_context_create($options);
++
++$responses = [
++	"data://text/plain,000000000100\xA\xA"
++];
++$pid = http_server('tcp://127.0.0.1:12342', $responses);
++
++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
++
++http_server_kill($pid);
++
++?>
++DONE
++--EXPECT--
++DONE
+-- 
+2.1.4
+
diff --git a/php-5.4.34-systzdata-v11.patch b/php-5.4.34-systzdata-v11.patch
index bfca49b..a12320c 100644
--- a/php-5.4.34-systzdata-v11.patch
+++ b/php-5.4.34-systzdata-v11.patch
@@ -1,3 +1,6 @@
+# License: MIT
+# http://opensource.org/licenses/MIT
+
 Add support for use of the system timezone database, rather
 than embedding a copy.  Discussed upstream but was not desired.
 
diff --git a/php.spec b/php.spec
index b32962f..81f8257 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.4.45
-Release: 13%{?dist}
+Release: 14%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -245,6 +245,12 @@ Patch261: bug73737.patch
 Patch262: bug73764.patch
 Patch263: bug73768.patch
 Patch264: bug73773.patch
+Patch265: bug73549.patch
+Patch266: bug73868.patch
+Patch267: bug73869.patch
+Patch268: bug74435.patch
+Patch269: bug75571.patch
+Patch270: bug75981.patch
 
 # Fixes for tests (300+)
 # Backported from 5.5
@@ -947,6 +953,12 @@ support for using the enchant library to PHP.
 %patch262 -p1 -b .bug73764
 %patch263 -p1 -b .bug73768
 %patch264 -p1 -b .bug73773
+%patch265 -p1 -b .bug73549
+%patch266 -p1 -b .bug73868
+%patch267 -p1 -b .bug73869
+%patch268 -p1 -b .bug74435
+%patch269 -p1 -b .bug75571
+%patch270 -p1 -b .bug75981
 : ------------------------
 #exit 1
 
@@ -1616,7 +1628,7 @@ cat << EOF
  backported from 5.5 or 5.6,
  The UPGRADE to a maintained version is very strongly RECOMMENDED.
 
-%if %{?fedora}%{!?fedora:99} < 24
+%if %{?fedora}%{!?fedora:99} < 26
  WARNING : Fedora %{fedora} is now EOL :
  You should consider upgrading to a supported release
 %endif
@@ -1784,6 +1796,18 @@ EOF
 
 
 %changelog
+* Thu Mar  1 2018 Remi Collet <remi@remirepo.net> - 5.4.45-14
+- fix #73549: Use after free when stream is passed to imagepng
+- fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
+  CVE-2016-10167
+- fix #73869: Signed Integer Overflow gd_io.c
+  CVE-2016-10168
+- fix #74435: Buffer over-read into uninitialized memory
+  CVE-2017-7890
+- fix #75571: Potential infinite loop in gdImageCreateFromGifCtx
+  CVE-2018-5711
+- fix #75981: stack-buffer-overflow while parsing HTTP response
+
 * Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.4.45-13
 - fix #73737: FPE when parsing a tag format
   CVE-2016-10158
author	Remi Collet <remi@remirepo.net>	2018-03-01 09:50:30 +0100
committer	Remi Collet <remi@remirepo.net>	2018-03-01 09:50:30 +0100
commit	03cb94d7835b8548cd35966c0cf3e10e48808f87 (patch)
tree	9dd556b7b0c66754ad6ea46395c10c997b1a91f5
parent	b9459ddfb28b45ec827d5d0e2e83ec7def175233 (diff)