|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73868 Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Submitted: 2017-01-05 10:31 UTC Modified: 2017-01-28 23:06 UTC
From: Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.6.29 OS:
Private report: No CVE-ID: 2016-10167
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2017-01-05 10:31 UTC]
This is a security sync with GD-2.2


We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.


fix-73868 (last revision 2017-01-05 15:53 UTC by
0003-Fix-DOS-vulnerability-in-gdImageCreateFromGd2Ctx.patch (last revision 2017-01-05 10:31 UTC by ondrej)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-05 10:32 UTC]
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2017-01-05 15:53 UTC]
The following patch has been added/updated:

Patch Name: fix-73868
Revision:   1483631603
 [2017-01-05 15:56 UTC]
fix-73868 fixes a compile issue with Ondřej's patch and also adds
a respective PHPT. It should be applied against PHP-5.6.
 [2017-01-05 19:33 UTC]
-Assigned To: +Assigned To: cmb
 [2017-01-05 19:34 UTC]
Is this bug 7.1 only? If not, the version should be set to the minimal branch this bug happens in (since it's GD I assume it'd be 5.6).
 [2017-01-05 23:07 UTC]
-PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-05 23:07 UTC]
Indeed, this affects PHP 5.6+.
 [2017-01-16 17:08 UTC]
Merged into security repo as cdb648dc4115ce0722f3cc75e6a65115fc0e56ab.

 [2017-01-21 16:54 UTC]
-Status: Assigned +Status: Closed
 [2017-01-21 16:54 UTC]
The fix has been released with PHP 5.6.30, 7.0.15 and 7.1.1, so
I'm (dis)closing.
 [2017-01-28 23:06 UTC]
-CVE-ID: +CVE-ID: 2016-10167
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Jun 01 03:03:40 2023 UTC