php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73869 Signed Integer Overflow gd_io.c
Submitted: 2017-01-05 10:33 UTC Modified: 2017-01-28 23:05 UTC
From: ondrej@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.6.29 OS:
Private report: No CVE-ID: 2016-10168
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ondrej@php.net
New email:
PHP Version: OS:

 

 [2017-01-05 10:33 UTC] ondrej@php.net
Description:
------------
This is a security sync with GD-2.2

~~~

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.



Patches

fix-73869 (last revision 2017-01-05 17:00 UTC by cmb@php.net)
0004-Fix-354-Signed-Integer-Overflow-gd_io.c.patch (last revision 2017-01-05 10:33 UTC by ondrej)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-05 17:00 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-73869
Revision:   1483635640
URL:        https://bugs.php.net/patch-display.php?bug=73869&patch=fix-73869&revision=1483635640
 [2017-01-05 17:01 UTC] cmb@php.net
fix-73869 adds a respective PHPT, and should be applied against
PHP-5.6.
 [2017-01-05 19:27 UTC] stas@php.net
-Assigned To: +Assigned To: cmb
 [2017-01-05 23:08 UTC] cmb@php.net
-PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-16 17:08 UTC] ab@php.net
Patch is merged into security repo as 5b5d9db3988b829e0b121b74bb3947f01c2796a1.

Thanks.
 [2017-01-21 16:56 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2017-01-21 16:56 UTC] cmb@php.net
The fix has been released with PHP 5.6.30, 7.0.15 and 7.1.1, so
I'm (dis)closing.
 [2017-01-28 23:05 UTC] cmb@php.net
-CVE-ID: +CVE-ID: 2016-10168
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 09:01:28 2024 UTC