af9dc8
Backported from 5.5.37 for 5.4.16
af9dc8
af9dc8
From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001
af9dc8
From: Pierre Joye <pajoye@php.net>
af9dc8
Date: Sat, 18 Jun 2016 20:15:10 +0200
af9dc8
Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
af9dc8
af9dc8
From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001
af9dc8
From: Stanislav Malyshev <stas@php.net>
af9dc8
Date: Mon, 20 Jun 2016 22:54:55 -0700
af9dc8
Subject: [PATCH] fix tests
af9dc8
af9dc8
From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001
af9dc8
From: Anatol Belski <ab@php.net>
af9dc8
Date: Tue, 21 Jun 2016 09:42:38 +0200
af9dc8
Subject: [PATCH] remove the huge test file, generate it on the fly instead
af9dc8
af9dc8
af9dc8
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
af9dc8
index 6726fee..63e3aef 100644
af9dc8
--- php-5.4.16/ext/gd/libgd/gd_gd2.c.cve5766	2016-08-01 14:11:08.481345064 +0200
af9dc8
+++ php-5.4.16/ext/gd/libgd/gd_gd2.c	2016-08-01 14:15:39.679591854 +0200
af9dc8
@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in,
af9dc8
 	if (gd2_compressed(*fmt)) {
af9dc8
 		nc = (*ncx) * (*ncy);
af9dc8
 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
af9dc8
+		if (overflow2(sizeof(t_chunk_info), nc)) {
af9dc8
+			goto fail1;
af9dc8
+		}
af9dc8
 		sidx = sizeof(t_chunk_info) * nc;
af9dc8
 		if (sidx <= 0) {
af9dc8
 			goto fail1;
af9dc8
 		}
af9dc8
 		cidx = gdCalloc(sidx, 1);
af9dc8
+		if (cidx == NULL) {
af9dc8
+			goto fail1;
af9dc8
+		}
af9dc8
+
af9dc8
 		for (i = 0; i < nc; i++) {
af9dc8
 			if (gdGetInt(&cidx[i].offset, in) != 1) {
af9dc8
 				goto fail1;
af9dc8
diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
af9dc8
new file mode 100644
af9dc8
index 0000000..763ae71
af9dc8
--- /dev/null
af9dc8
+++ b/ext/gd/tests/bug72339.phpt
af9dc8
@@ -0,0 +1,11 @@
af9dc8
+--TEST--
af9dc8
+Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow 
af9dc8
+--SKIPIF--
af9dc8
+
af9dc8
+--FILE--
af9dc8
+
af9dc8
+--EXPECTF--	
af9dc8
+Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
af9dc8
+ in %sbug72339.php on line %d
af9dc8
+
af9dc8
+Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d
af9dc8
af9dc8
diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
af9dc8
index 763ae71..2c30ee8 100644
af9dc8
--- a/ext/gd/tests/bug72339.phpt
af9dc8
+++ b/ext/gd/tests/bug72339.phpt
af9dc8
@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
af9dc8
 --SKIPIF--
af9dc8
 
af9dc8
 --FILE--
af9dc8
-
af9dc8
+
af9dc8
+$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd";
af9dc8
+
af9dc8
+$fh = fopen($fname, "w");
af9dc8
+fwrite($fh, "gd2\x00");
af9dc8
+fwrite($fh, pack("n", 2));
af9dc8
+fwrite($fh, pack("n", 1));
af9dc8
+fwrite($fh, pack("n", 1));
af9dc8
+fwrite($fh, pack("n", 0x40));
af9dc8
+fwrite($fh, pack("n", 2));
af9dc8
+fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
af9dc8
+fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
af9dc8
+fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
af9dc8
+fclose($fh);
af9dc8
+
af9dc8
+$im = imagecreatefromgd2($fname);
af9dc8
+
af9dc8
+if ($im) {
af9dc8
+	imagedestroy($im);
af9dc8
+}
af9dc8
+unlink($fname);
af9dc8
+
af9dc8
+?>
af9dc8
 --EXPECTF--	
af9dc8
 Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
af9dc8
  in %sbug72339.php on line %d