Fix for CVE-2017-10168

Backported for 5.4 without test and binary patch

From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001

From: "Christoph M. Becker" <cmbecker69@gmx.de>

Date: Tue, 16 Aug 2016 18:23:36 +0200

Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

We must not pretend that there are image data if there are none. Instead

we fail reading the image file gracefully.

(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)

---

 ext/gd/libgd/gd_gd2.c      |   8 ++++++--

 ext/gd/tests/bug73868.gd2  | Bin 0 -> 1050 bytes

 ext/gd/tests/bug73868.phpt |  18 ++++++++++++++++++

 3 files changed, 24 insertions(+), 2 deletions(-)

 create mode 100644 ext/gd/tests/bug73868.gd2

 create mode 100644 ext/gd/tests/bug73868.phpt

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c

index d06f328..196b785 100644

--- a/ext/gd/libgd/gd_gd2.c

+++ b/ext/gd/libgd/gd_gd2.c

@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)

 					for (x = xlo; x < xhi; x++) {

 						if (im->trueColor) {

 							if (!gdGetInt(&im->tpixels[y][x], in)) {

-								im->tpixels[y][x] = 0;

+								php_gd_error("gd2: EOF while reading\n");

+								gdImageDestroy(im);

+								return NULL;

 							}

 						} else {

 							int ch;

 							if (!gdGetByte(&ch, in)) {

-								ch = 0;

+								php_gd_error("gd2: EOF while reading\n");

+								gdImageDestroy(im);

+								return NULL;

 							}

 							im->pixels[y][x] = ch;

 						}

-- 

2.1.4