48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
Fix for CVE-2017-10168
|
|
Backported for 5.4 without test and binary patch
|
|
|
|
|
|
From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001
|
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
Date: Tue, 16 Aug 2016 18:23:36 +0200
|
|
Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
|
|
|
|
We must not pretend that there are image data if there are none. Instead
|
|
we fail reading the image file gracefully.
|
|
|
|
(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
|
|
---
|
|
ext/gd/libgd/gd_gd2.c | 8 ++++++--
|
|
ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes
|
|
ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++
|
|
3 files changed, 24 insertions(+), 2 deletions(-)
|
|
create mode 100644 ext/gd/tests/bug73868.gd2
|
|
create mode 100644 ext/gd/tests/bug73868.phpt
|
|
|
|
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
|
|
index d06f328..196b785 100644
|
|
--- a/ext/gd/libgd/gd_gd2.c
|
|
+++ b/ext/gd/libgd/gd_gd2.c
|
|
@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
|
|
for (x = xlo; x < xhi; x++) {
|
|
if (im->trueColor) {
|
|
if (!gdGetInt(&im->tpixels[y][x], in)) {
|
|
- im->tpixels[y][x] = 0;
|
|
+ php_gd_error("gd2: EOF while reading\n");
|
|
+ gdImageDestroy(im);
|
|
+ return NULL;
|
|
}
|
|
} else {
|
|
int ch;
|
|
if (!gdGetByte(&ch, in)) {
|
|
- ch = 0;
|
|
+ php_gd_error("gd2: EOF while reading\n");
|
|
+ gdImageDestroy(im);
|
|
+ return NULL;
|
|
}
|
|
im->pixels[y][x] = ch;
|
|
}
|
|
--
|
|
2.1.4
|
|
|
