Blame SOURCES/php-5.4.16-CVE-2014-5120.patch
|
 |
b77848 |
From 1daa4c0090b7cd8178dcaa96287234c69ac6ca18 Mon Sep 17 00:00:00 2001
|
|
|
b77848 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
b77848 |
Date: Mon, 18 Aug 2014 22:49:10 -0700
|
|
|
b77848 |
Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
|
|
|
b77848 |
functions
|
|
|
b77848 |
|
|
|
b77848 |
---
|
|
|
b77848 |
ext/gd/gd_ctx.c | 5 +++++
|
|
|
b77848 |
1 file changed, 5 insertions(+)
|
|
|
b77848 |
|
|
|
b77848 |
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
|
|
|
b77848 |
index 59eff80..253b664 100644
|
|
|
b77848 |
--- a/ext/gd/gd_ctx.c
|
|
|
b77848 |
+++ b/ext/gd/gd_ctx.c
|
|
|
b77848 |
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
|
|
|
b77848 |
RETURN_FALSE;
|
|
|
b77848 |
}
|
|
|
b77848 |
} else if (Z_TYPE_P(to_zval) == IS_STRING) {
|
|
|
b77848 |
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
|
|
|
b77848 |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
|
|
|
b77848 |
+ RETURN_FALSE;
|
|
|
b77848 |
+ }
|
|
|
b77848 |
+
|
|
|
b77848 |
stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
|
|
|
b77848 |
if (stream == NULL) {
|
|
|
b77848 |
RETURN_FALSE;
|
|
|
b77848 |
--
|
|
|
b77848 |
1.9.2
|
|
|
b77848 |
|