summaryrefslogtreecommitdiffstats
path: root/bug73868.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 09:50:30 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 09:50:30 +0100
commit03cb94d7835b8548cd35966c0cf3e10e48808f87 (patch)
tree9dd556b7b0c66754ad6ea46395c10c997b1a91f5 /bug73868.patch
parentb9459ddfb28b45ec827d5d0e2e83ec7def175233 (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug73868.patch')
-rw-r--r--bug73868.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/bug73868.patch b/bug73868.patch
new file mode 100644
index 0000000..6df0a22
--- /dev/null
+++ b/bug73868.patch
@@ -0,0 +1,47 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 18:23:36 +0200
+Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
+
+We must not pretend that there are image data if there are none. Instead
+we fail reading the image file gracefully.
+
+(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
+---
+ ext/gd/libgd/gd_gd2.c | 8 ++++++--
+ ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes
+ ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+ create mode 100644 ext/gd/tests/bug73868.gd2
+ create mode 100644 ext/gd/tests/bug73868.phpt
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index d06f328..196b785 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
+ for (x = xlo; x < xhi; x++) {
+ if (im->trueColor) {
+ if (!gdGetInt(&im->tpixels[y][x], in)) {
+- im->tpixels[y][x] = 0;
++ php_gd_error("gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ } else {
+ int ch;
+ if (!gdGetByte(&ch, in)) {
+- ch = 0;
++ php_gd_error("gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ im->pixels[y][x] = ch;
+ }
+--
+2.1.4
+