Fix for CVE-2017-10168

Backported for 5.4 without test and binary patch

From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001

From: "Christoph M. Becker" <cmbecker69@gmx.de>

Date: Sat, 17 Dec 2016 17:06:58 +0100

Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2

byte unsigned). These values are multiplied and assigned to an int when

reading the image, what can cause integer overflows. We have to avoid

that, and also make sure that either chunk count is actually greater

than zero. If illegal chunk counts are detected, we bail out from

reading the image.

(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)

---

 ext/gd/libgd/gd_gd2.c      |   4 ++++

 ext/gd/tests/bug73869.phpt |  19 +++++++++++++++++++

 ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes

 ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes

 4 files changed, 23 insertions(+)

 create mode 100644 ext/gd/tests/bug73869.phpt

 create mode 100644 ext/gd/tests/bug73869a.gd2

 create mode 100644 ext/gd/tests/bug73869b.gd2

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c

index 196b785..3eba6b3 100644

--- a/ext/gd/libgd/gd_gd2.c

+++ b/ext/gd/libgd/gd_gd2.c

@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in

 	GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));

 	if (gd2_compressed(*fmt)) {

+		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {

+			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));

+			goto fail1;

+		}

 		nc = (*ncx) * (*ncy);

 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));

 		if (overflow2(sizeof(t_chunk_info), nc)) {

-- 

2.1.4