php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch fix-73868 for GD related Bug #73868Patch version 2017-01-05 15:53 UTC Return to Bug #73868 | Download this patchThis patch renders other patches obsolete Obsolete patches: Patch Revisions:Developer: cmb@php.netFrom 2953ad92ace494c2befaa70aa01af000a358030f Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" <cmbecker69@gmx.de> Date: Tue, 16 Aug 2016 18:23:36 +0200 Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx() We must not pretend that there are image data if there are none. Instead we fail reading the image file gracefully. --- ext/gd/libgd/gd_gd2.c | 8 ++++++-- ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 ext/gd/tests/bug73868.gd2 create mode 100644 ext/gd/tests/bug73868.phpt diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index d06f328..196b785 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -340,12 +340,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) for (x = xlo; x < xhi; x++) { if (im->trueColor) { if (!gdGetInt(&im->tpixels[y][x], in)) { - im->tpixels[y][x] = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } } else { int ch; if (!gdGetByte(&ch, in)) { - ch = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } im->pixels[y][x] = ch; } diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2 new file mode 100644 index 0000000000000000000000000000000000000000..1c797d1acfae114be5505962f9f3201f01bca420 GIT binary patch literal 1050 kcmYdKF=Aj~GB98;U@~A}1kqrw!6+CFfzc2c!6Cp30J@*U8UO$Q literal 0 HcmV?d00001 diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt new file mode 100644 index 0000000..135be79 --- /dev/null +++ b/ext/gd/tests/bug73868.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2')); +?> +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): gd2: EOF while reading + in %s on line %d + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE=== -- 2.10.2.windows.1 |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Mon Nov 04 08:01:28 2024 UTC |