summaryrefslogtreecommitdiffstats
path: root/php-5.5.6-CVE-2013-7327.patch
blob: ded5f66f2289eaab0f6815c87341ac3d5107f0ef (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
From af09d8b96a8aacdd7d738fec81b695c1c58368f7 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Wed, 5 Mar 2014 10:40:36 +0100
Subject: [PATCH] Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer
 CVE-2013-7327

This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value.  That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows.  Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.

This moves NULL check to happen right after gdImageCreate*().  It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).

From thoger redhat com
---
 ext/gd/libgd/gd_crop.c     | 14 ++++++--------
 ext/gd/tests/bug66356.phpt | 11 ++++++++++-
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c
index bba425d..84edb5d 100644
--- a/ext/gd/libgd/gd_crop.c
+++ b/ext/gd/libgd/gd_crop.c
@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
 	gdImagePtr dst;
 	int y;
 
-	/* check size */
-	if (crop->width<=0 || crop->height<=0) {
-		return NULL;
-	}
-
 	/* allocate the requested size (could be only partially filled) */
 	if (src->trueColor) {
 		dst = gdImageCreateTrueColor(crop->width, crop->height);
+		if (dst == NULL) {
+			return NULL;
+		}
 		gdImageSaveAlpha(dst, 1);
 	} else {
 		dst = gdImageCreate(crop->width, crop->height);
+		if (dst == NULL) {
+			return NULL;
+		}
 		gdImagePaletteCopy(dst, src);
 	}
-	if (dst == NULL) {
-		return NULL;
-	}
 	dst->transparent = src->transparent;
 
 	/* check position in the src image */
diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt
index 2da91d6..583d749 100644
--- a/ext/gd/tests/bug66356.phpt
+++ b/ext/gd/tests/bug66356.phpt
@@ -24,6 +24,8 @@ var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" =
 // POC #4
 var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
 
+// bug 66815
+var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535)));
 ?>
 --EXPECTF--
 resource(%d) of type (gd)
@@ -35,6 +37,13 @@ Array
     [width] => 10
     [height] => 10
 )
+
+Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
+ in %sbug66356.php on line %d
 bool(false)
 resource(%d) of type (gd)
-resource(%d) of type (gd)
\ No newline at end of file
+resource(%d) of type (gd)
+
+Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %sbug66356.php on line %d
+bool(false)
\ No newline at end of file
-- 
1.8.4.3