diff options
Diffstat (limited to 'bug72339.patch')
| -rw-r--r-- | bug72339.patch | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/bug72339.patch b/bug72339.patch new file mode 100644 index 0000000..da385e8 --- /dev/null +++ b/bug72339.patch @@ -0,0 +1,127 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pajoye@php.net> +Date: Sat, 18 Jun 2016 20:15:10 +0200 +Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in + heap overflow + +--- + ext/gd/libgd/gd_gd2.c | 7 +++++++ + ext/gd/tests/bug72339.gd | Bin 0 -> 67108882 bytes + ext/gd/tests/bug72339.phpt | 11 +++++++++++ + 3 files changed, 18 insertions(+) + create mode 100644 ext/gd/tests/bug72339.gd + create mode 100644 ext/gd/tests/bug72339.phpt + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 6726fee..63e3aef 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + if (gd2_compressed(*fmt)) { + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); ++ if (overflow2(sidx, nc)) { ++ goto fail1; ++ } + sidx = sizeof(t_chunk_info) * nc; + if (sidx <= 0) { + goto fail1; + } + cidx = gdCalloc(sidx, 1); ++ if (cidx == NULL) { ++ goto fail1; ++ } ++ + for (i = 0; i < nc; i++) { + if (gdGetInt(&cidx[i].offset, in) != 1) { + gdFree(cidx); +diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt +new file mode 100644 +index 0000000..763ae71 +--- /dev/null ++++ b/ext/gd/tests/bug72339.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow ++--SKIPIF-- ++<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> ++--FILE-- ++<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?> ++--EXPECTF-- ++Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %sbug72339.php on line %d ++ ++Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d + +From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 22:54:55 -0700 +Subject: [PATCH] fix tests + +--- + ext/gd/libgd/gd_gd2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 63e3aef..e954aaf 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -138,7 +138,7 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + if (gd2_compressed(*fmt)) { + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); +- if (overflow2(sidx, nc)) { ++ if (overflow2(sizeof(t_chunk_info), nc)) { + goto fail1; + } + sidx = sizeof(t_chunk_info) * nc; + +From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Tue, 21 Jun 2016 09:42:38 +0200 +Subject: [PATCH] remove the huge test file, generate it on the fly instead + +--- + ext/gd/tests/bug72339.gd | Bin 67108882 -> 0 bytes + ext/gd/tests/bug72339.phpt | 24 +++++++++++++++++++++++- + 2 files changed, 23 insertions(+), 1 deletion(-) + delete mode 100644 ext/gd/tests/bug72339.gd + +diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt +index 763ae71..2c30ee8 100644 +--- a/ext/gd/tests/bug72339.phpt ++++ b/ext/gd/tests/bug72339.phpt +@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow + --SKIPIF-- + <?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> + --FILE-- +-<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?> ++<?php ++$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"; ++ ++$fh = fopen($fname, "w"); ++fwrite($fh, "gd2\x00"); ++fwrite($fh, pack("n", 2)); ++fwrite($fh, pack("n", 1)); ++fwrite($fh, pack("n", 1)); ++fwrite($fh, pack("n", 0x40)); ++fwrite($fh, pack("n", 2)); ++fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide ++fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically ++fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data ++fclose($fh); ++ ++$im = imagecreatefromgd2($fname); ++ ++if ($im) { ++ imagedestroy($im); ++} ++unlink($fname); ++ ++?> + --EXPECTF-- + Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %sbug72339.php on line %d |