rpms / php55-php

Clone
Source Code
GIT

Blame SOURCES/php-5.5.6-CVE-2013-7327.patch

c7
  1.   e9ca132b9431febf65b3d6f309562d7167318697
  2.   SOURCES
  3.   php-5.5.6-CVE-2013-7327.patch
Blob History Raw
37fd76 
From af09d8b96a8aacdd7d738fec81b695c1c58368f7 Mon Sep 17 00:00:00 2001
37fd76 
From: Remi Collet <remi@php.net>
37fd76 
Date: Wed, 5 Mar 2014 10:40:36 +0100
37fd76 
Subject: [PATCH] Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer
37fd76 
 CVE-2013-7327
37fd76
37fd76 
This amends commit 8f4a537, which aimed to correct NULL dereference because of
37fd76 
missing check of gdImageCreateTrueColor() / gdImageCreate() return value.  That
37fd76 
commit checks for negative crop rectangle width and height, but
37fd76 
gdImageCreate*() can also return NULL when width * height overflows.  Hence
37fd76 
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
37fd76 
is called before dst == NULL check.
37fd76
37fd76 
This moves NULL check to happen right after gdImageCreate*().  It also removes
37fd76 
width and height check before gdImageCreate*(), as the same check is done by
37fd76 
image create functions (with an extra warning).
37fd76
37fd76 
From thoger redhat com
37fd76 
---
37fd76 
 ext/gd/libgd/gd_crop.c     | 14 ++++++--------
37fd76 
 ext/gd/tests/bug66356.phpt | 11 ++++++++++-
37fd76 
 2 files changed, 16 insertions(+), 9 deletions(-)
37fd76
37fd76 
diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c
37fd76 
index bba425d..84edb5d 100644
37fd76 
--- a/ext/gd/libgd/gd_crop.c
37fd76 
+++ b/ext/gd/libgd/gd_crop.c
37fd76 
@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
37fd76 
 	gdImagePtr dst;
37fd76 
 	int y;
37fd76
37fd76 
-	/* check size */
37fd76 
-	if (crop->width<=0 || crop->height<=0) {
37fd76 
-		return NULL;
37fd76 
-	}
37fd76 
-
37fd76 
 	/* allocate the requested size (could be only partially filled) */
37fd76 
 	if (src->trueColor) {
37fd76 
 		dst = gdImageCreateTrueColor(crop->width, crop->height);
37fd76 
+		if (dst == NULL) {
37fd76 
+			return NULL;
37fd76 
+		}
37fd76 
 		gdImageSaveAlpha(dst, 1);
37fd76 
 	} else {
37fd76 
 		dst = gdImageCreate(crop->width, crop->height);
37fd76 
+		if (dst == NULL) {
37fd76 
+			return NULL;
37fd76 
+		}
37fd76 
 		gdImagePaletteCopy(dst, src);
37fd76 
 	}
37fd76 
-	if (dst == NULL) {
37fd76 
-		return NULL;
37fd76 
-	}
37fd76 
 	dst->transparent = src->transparent;
37fd76
37fd76 
 	/* check position in the src image */
37fd76 
diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt
37fd76 
index 2da91d6..583d749 100644
37fd76 
--- a/ext/gd/tests/bug66356.phpt
37fd76 
+++ b/ext/gd/tests/bug66356.phpt
37fd76 
@@ -24,6 +24,8 @@ var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" =
37fd76 
 // POC #4
37fd76 
 var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
37fd76
37fd76 
+// bug 66815
37fd76 
+var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535)));
37fd76 
 ?>
37fd76 
 --EXPECTF--
37fd76 
 resource(%d) of type (gd)
37fd76 
@@ -35,6 +37,13 @@ Array
37fd76 
     [width] => 10
37fd76 
     [height] => 10
37fd76 
 )
37fd76 
+
37fd76 
+Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
37fd76 
+ in %sbug66356.php on line %d
37fd76 
 bool(false)
37fd76 
 resource(%d) of type (gd)
37fd76 
-resource(%d) of type (gd)
37fd76 
\ No newline at end of file
37fd76 
+resource(%d) of type (gd)
37fd76 
+
37fd76 
+Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
37fd76 
+ in %sbug66356.php on line %d
37fd76 
+bool(false)
37fd76 
\ No newline at end of file
37fd76 
--
37fd76 
1.8.4.3
37fd76

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation