php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #73869 Signed Integer Overflow gd_io.c
Submitted: 2017-01-05 10:33 UTC Modified: 2017-01-28 23:05 UTC
From: ondrej@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.6.29 OS:
Private report: No CVE-ID: 2016-10168
View Developer Edit
 [2017-01-05 10:33 UTC] ondrej@php.net 
Description:
------------
This is a security sync with GD-2.2

~~~

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.

Patches

fix-73869 (last revision 2017-01-05 17:00 UTC by cmb@php.net)
0004-Fix-354-Signed-Integer-Overflow-gd_io.c.patch (last revision 2017-01-05 10:33 UTC by ondrej)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-05 17:00 UTC] cmb@php.net 
The following patch has been added/updated:

Patch Name: fix-73869
Revision:   1483635640
URL:        https://bugs.php.net/patch-display.php?bug=73869&patch=fix-73869&revision=1483635640
 [2017-01-05 17:01 UTC] cmb@php.net 
fix-73869 adds a respective PHPT, and should be applied against
PHP-5.6.
 [2017-01-05 19:27 UTC] stas@php.net
-Assigned To: +Assigned To: cmb
 [2017-01-05 23:08 UTC] cmb@php.net
-PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-16 17:08 UTC] ab@php.net 
Patch is merged into security repo as 5b5d9db3988b829e0b121b74bb3947f01c2796a1.

Thanks.
 [2017-01-21 16:56 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2017-01-21 16:56 UTC] cmb@php.net 
The fix has been released with PHP 5.6.30, 7.0.15 and 7.1.1, so
I'm (dis)closing.
 [2017-01-28 23:05 UTC] cmb@php.net
-CVE-ID: +CVE-ID: 2016-10168
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 01:00:01 2025 UTC