php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73869 Signed Integer Overflow gd_io.c
Submitted: 2017-01-05 10:33 UTC Modified: 2017-01-28 23:05 UTC
From: ondrej@php.net Assigned: cmb
Status: Closed Package: GD related
PHP Version: 5.6.29 OS:
Private report: No CVE-ID: 2016-10168
Password:
Status:
Package:
Bug Type:
Summary:
From: ondrej@php.net
New email:
PHP Version: OS:

 

 [2017-01-05 10:33 UTC] ondrej@php.net
Description:
------------
This is a security sync with GD-2.2

~~~

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.



Patches

fix-73869 (last revision 2017-01-05 17:00 UTC) by cmb@php.net)
0004-Fix-354-Signed-Integer-Overflow-gd_io.c.patch (last revision 2017-01-05 10:33 UTC) by ondrej)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-05 17:00 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-73869
Revision:   1483635640
URL:        https://bugs.php.net/patch-display.php?bug=73869&patch=fix-73869&revision=1483635640
 [2017-01-05 17:01 UTC] cmb@php.net
fix-73869 adds a respective PHPT, and should be applied against
PHP-5.6.
 [2017-01-05 19:27 UTC] stas@php.net
-Assigned To: +Assigned To: cmb
 [2017-01-05 23:08 UTC] cmb@php.net
-PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-16 17:08 UTC] ab@php.net
Patch is merged into security repo as 5b5d9db3988b829e0b121b74bb3947f01c2796a1.

Thanks.
 [2017-01-21 16:56 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2017-01-21 16:56 UTC] cmb@php.net
The fix has been released with PHP 5.6.30, 7.0.15 and 7.1.1, so
I'm (dis)closing.
 [2017-01-28 23:05 UTC] cmb@php.net
-CVE-ID: +CVE-ID: 2016-10168
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC