From cf4753691dc55999373d1c576f62ecb298723420 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 4 Aug 2014 10:42:39 +0200 Subject: [PATCH] Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704 Notice: this fix don't manage monochrome/monovisual values but just fix the security issue CVE-2014-2497 failing when trying to load such an image --- ext/gd/libgd/gdxpm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c index 73f86e5..b69414e 100644 --- a/ext/gd/libgd/gdxpm.c +++ b/ext/gd/libgd/gdxpm.c @@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename) if (ret != XpmSuccess) { return 0; } + number = image.ncolors; + for(i = 0; i < number; i++) { + if (!image.colorTable[i].c_color) { + goto done; + } + } if (!(im = gdImageCreate(image.width, image.height))) { goto done; } - number = image.ncolors; colors = (int *) safe_emalloc(number, sizeof(int), 0); for (i = 0; i < number; i++) { switch (strlen (image.colorTable[i].c_color)) { -- 1.9.2