|
|
af9dc8 |
Backported from 5.5.37 for 5.4.16
|
|
|
af9dc8 |
|
|
|
af9dc8 |
From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Pierre Joye <pajoye@php.net>
|
|
|
af9dc8 |
Date: Sat, 18 Jun 2016 20:15:10 +0200
|
|
|
af9dc8 |
Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
|
|
|
af9dc8 |
|
|
|
af9dc8 |
From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
af9dc8 |
Date: Mon, 20 Jun 2016 22:54:55 -0700
|
|
|
af9dc8 |
Subject: [PATCH] fix tests
|
|
|
af9dc8 |
|
|
|
af9dc8 |
From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Anatol Belski <ab@php.net>
|
|
|
af9dc8 |
Date: Tue, 21 Jun 2016 09:42:38 +0200
|
|
|
af9dc8 |
Subject: [PATCH] remove the huge test file, generate it on the fly instead
|
|
|
af9dc8 |
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
|
|
|
af9dc8 |
index 6726fee..63e3aef 100644
|
|
|
af9dc8 |
--- php-5.4.16/ext/gd/libgd/gd_gd2.c.cve5766 2016-08-01 14:11:08.481345064 +0200
|
|
|
af9dc8 |
+++ php-5.4.16/ext/gd/libgd/gd_gd2.c 2016-08-01 14:15:39.679591854 +0200
|
|
|
af9dc8 |
@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in,
|
|
|
af9dc8 |
if (gd2_compressed(*fmt)) {
|
|
|
af9dc8 |
nc = (*ncx) * (*ncy);
|
|
|
af9dc8 |
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
|
|
|
af9dc8 |
+ if (overflow2(sizeof(t_chunk_info), nc)) {
|
|
|
af9dc8 |
+ goto fail1;
|
|
|
af9dc8 |
+ }
|
|
|
af9dc8 |
sidx = sizeof(t_chunk_info) * nc;
|
|
|
af9dc8 |
if (sidx <= 0) {
|
|
|
af9dc8 |
goto fail1;
|
|
|
af9dc8 |
}
|
|
|
af9dc8 |
cidx = gdCalloc(sidx, 1);
|
|
|
af9dc8 |
+ if (cidx == NULL) {
|
|
|
af9dc8 |
+ goto fail1;
|
|
|
af9dc8 |
+ }
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
for (i = 0; i < nc; i++) {
|
|
|
af9dc8 |
if (gdGetInt(&cidx[i].offset, in) != 1) {
|
|
|
af9dc8 |
goto fail1;
|
|
|
af9dc8 |
diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
|
|
|
af9dc8 |
new file mode 100644
|
|
|
af9dc8 |
index 0000000..763ae71
|
|
|
af9dc8 |
--- /dev/null
|
|
|
af9dc8 |
+++ b/ext/gd/tests/bug72339.phpt
|
|
|
af9dc8 |
@@ -0,0 +1,11 @@
|
|
|
af9dc8 |
+--TEST--
|
|
|
af9dc8 |
+Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
|
|
|
af9dc8 |
+--SKIPIF--
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+--FILE--
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+--EXPECTF--
|
|
|
af9dc8 |
+Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
|
|
|
af9dc8 |
+ in %sbug72339.php on line %d
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
|
|
|
af9dc8 |
index 763ae71..2c30ee8 100644
|
|
|
af9dc8 |
--- a/ext/gd/tests/bug72339.phpt
|
|
|
af9dc8 |
+++ b/ext/gd/tests/bug72339.phpt
|
|
|
af9dc8 |
@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
|
|
|
af9dc8 |
--SKIPIF--
|
|
|
af9dc8 |
|
|
|
af9dc8 |
--FILE--
|
|
|
af9dc8 |
-
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd";
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$fh = fopen($fname, "w");
|
|
|
af9dc8 |
+fwrite($fh, "gd2\x00");
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 2));
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 1));
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 1));
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 0x40));
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 2));
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
|
|
|
af9dc8 |
+fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
|
|
|
af9dc8 |
+fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
|
|
|
af9dc8 |
+fclose($fh);
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$im = imagecreatefromgd2($fname);
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+if ($im) {
|
|
|
af9dc8 |
+ imagedestroy($im);
|
|
|
af9dc8 |
+}
|
|
|
af9dc8 |
+unlink($fname);
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+?>
|
|
|
af9dc8 |
--EXPECTF--
|
|
|
af9dc8 |
Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
|
|
|
af9dc8 |
in %sbug72339.php on line %d
|