From 45396e0b548b5684022506133d06a721cd9cd6de Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Sep 2014 18:24:41 +0200 Subject: php55-php: import from rhscl 1.1 --- php-5.5.6-CVE-2013-7327.patch | 89 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 php-5.5.6-CVE-2013-7327.patch (limited to 'php-5.5.6-CVE-2013-7327.patch') diff --git a/php-5.5.6-CVE-2013-7327.patch b/php-5.5.6-CVE-2013-7327.patch new file mode 100644 index 0000000..ded5f66 --- /dev/null +++ b/php-5.5.6-CVE-2013-7327.patch @@ -0,0 +1,89 @@ +From af09d8b96a8aacdd7d738fec81b695c1c58368f7 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 5 Mar 2014 10:40:36 +0100 +Subject: [PATCH] Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer + CVE-2013-7327 + +This amends commit 8f4a537, which aimed to correct NULL dereference because of +missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That +commit checks for negative crop rectangle width and height, but +gdImageCreate*() can also return NULL when width * height overflows. Hence +NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy() +is called before dst == NULL check. + +This moves NULL check to happen right after gdImageCreate*(). It also removes +width and height check before gdImageCreate*(), as the same check is done by +image create functions (with an extra warning). + +From thoger redhat com +--- + ext/gd/libgd/gd_crop.c | 14 ++++++-------- + ext/gd/tests/bug66356.phpt | 11 ++++++++++- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c +index bba425d..84edb5d 100644 +--- a/ext/gd/libgd/gd_crop.c ++++ b/ext/gd/libgd/gd_crop.c +@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop) + gdImagePtr dst; + int y; + +- /* check size */ +- if (crop->width<=0 || crop->height<=0) { +- return NULL; +- } +- + /* allocate the requested size (could be only partially filled) */ + if (src->trueColor) { + dst = gdImageCreateTrueColor(crop->width, crop->height); ++ if (dst == NULL) { ++ return NULL; ++ } + gdImageSaveAlpha(dst, 1); + } else { + dst = gdImageCreate(crop->width, crop->height); ++ if (dst == NULL) { ++ return NULL; ++ } + gdImagePaletteCopy(dst, src); + } +- if (dst == NULL) { +- return NULL; +- } + dst->transparent = src->transparent; + + /* check position in the src image */ +diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt +index 2da91d6..583d749 100644 +--- a/ext/gd/tests/bug66356.phpt ++++ b/ext/gd/tests/bug66356.phpt +@@ -24,6 +24,8 @@ var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" = + // POC #4 + var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10))); + ++// bug 66815 ++var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535))); + ?> + --EXPECTF-- + resource(%d) of type (gd) +@@ -35,6 +37,13 @@ Array + [width] => 10 + [height] => 10 + ) ++ ++Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully ++ in %sbug66356.php on line %d + bool(false) + resource(%d) of type (gd) +-resource(%d) of type (gd) +\ No newline at end of file ++resource(%d) of type (gd) ++ ++Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %sbug66356.php on line %d ++bool(false) +\ No newline at end of file +-- +1.8.4.3 + -- cgit