Patch 0001-Fix-NULL-deref-in-gdImageCrop.patch for GD related Bug #66815

Patch version 2014-03-03 16:19 UTC

Obsolete patches:

• libgd-test.patch, revision 2014-03-03 16:13 UTC

• 2014-03-03 16:19 UTC [diff to current]

Developer: remi@php.net

From a99e09d2e744dae2d40d3658560ee2bba0adb7c6 Mon Sep 17 00:00:00 2001
From: Tomas Hoger <thoger@redhat.com>
Date: Mon, 3 Mar 2014 16:35:14 +0100
Subject: Fix NULL deref in gdImageCrop()

This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value.  That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows.  Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.

This moves NULL check to happen right after gdImageCreate*().  It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).
---
 ext/gd/libgd/gd_crop.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git ext/gd/libgd/gd_crop.c ext/gd/libgd/gd_crop.c
index bba425d..84edb5d 100644
--- ext/gd/libgd/gd_crop.c
+++ ext/gd/libgd/gd_crop.c
@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
 	gdImagePtr dst;
 	int y;
 
-	/* check size */
-	if (crop->width<=0 || crop->height<=0) {
-		return NULL;
-	}
-
 	/* allocate the requested size (could be only partially filled) */
 	if (src->trueColor) {
 		dst = gdImageCreateTrueColor(crop->width, crop->height);
+		if (dst == NULL) {
+			return NULL;
+		}
 		gdImageSaveAlpha(dst, 1);
 	} else {
 		dst = gdImageCreate(crop->width, crop->height);
+		if (dst == NULL) {
+			return NULL;
+		}
 		gdImagePaletteCopy(dst, src);
 	}
-	if (dst == NULL) {
-		return NULL;
-	}
 	dst->transparent = src->transparent;
 
 	/* check position in the src image */
-- 
1.8.3.1