rpms / php

Clone
Source Code
GIT

Blame SOURCES/php-5.4.16-CVE-2016-5767.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8-beta-stream-7.2 c8-beta-stream-7.3 c8-beta-stream-7.4 c8-beta-stream-8.0 c8-stream-7.2 c8-stream-7.3 c8-stream-7.4 c8-stream-8.0 c8s-stream-7.4 c8s-stream-8.0 c9 c9-beta c9-beta-stream-8.1 c9-stream-8.1
  1.   8d87dc7113e1c756c4ddb82ef393ae85c2eeb6bb
  2.   SOURCES
  3.   php-5.4.16-CVE-2016-5767.patch
Blob History Raw
8d87dc 
Backported from 5.5.37 for 5.4 by Remi Collet
8d87dc
8d87dc
8d87dc 
From c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 Mon Sep 17 00:00:00 2001
8d87dc 
From: Stanislav Malyshev <stas@php.net>
8d87dc 
Date: Mon, 20 Jun 2016 23:58:26 -0700
8d87dc 
Subject: [PATCH] iFixed bug #72446 - Integer Overflow in
8d87dc 
 gdImagePaletteToTrueColor() resulting in heap overflow
8d87dc
8d87dc 
---
8d87dc 
 NEWS              |  2 ++
8d87dc 
 ext/gd/libgd/gd.c | 22 +++++++++++++---------
8d87dc 
 2 files changed, 15 insertions(+), 9 deletions(-)
8d87dc
8d87dc 
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
8d87dc 
index 2c63aac..4dad95a 100644
8d87dc 
--- a/ext/gd/libgd/gd.c
8d87dc 
+++ b/ext/gd/libgd/gd.c
8d87dc 
@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
8d87dc 
 		return NULL;
8d87dc 
 	}
8d87dc
8d87dc 
+	if (overflow2(sizeof(unsigned char *), sx)) {
8d87dc 
+		return NULL;
8d87dc 
+	}
8d87dc 
+
8d87dc 
 	im = (gdImage *) gdCalloc(1, sizeof(gdImage));
8d87dc
8d87dc 
 	/* Row-major ever since gd 1.3 */
8d87dc

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation