php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch fix-73868 for GD related Bug #73868

Patch version 2017-01-05 15:53 UTC

Return to Bug #73868 | Download this patch
This patch renders other patches obsolete

Obsolete patches:

Patch Revisions:

Developer: cmb@php.net

From 2953ad92ace494c2befaa70aa01af000a358030f Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 16 Aug 2016 18:23:36 +0200
Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
---
 ext/gd/libgd/gd_gd2.c      |   8 ++++++--
 ext/gd/tests/bug73868.gd2  | Bin 0 -> 1050 bytes
 ext/gd/tests/bug73868.phpt |  18 ++++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 ext/gd/tests/bug73868.gd2
 create mode 100644 ext/gd/tests/bug73868.phpt

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index d06f328..196b785 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -340,12 +340,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 					for (x = xlo; x < xhi; x++) {
 						if (im->trueColor) {
 							if (!gdGetInt(&im->tpixels[y][x], in)) {
-								im->tpixels[y][x] = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 						} else {
 							int ch;
 							if (!gdGetByte(&ch, in)) {
-								ch = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 							im->pixels[y][x] = ch;
 						}
diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..1c797d1acfae114be5505962f9f3201f01bca420
GIT binary patch
literal 1050
kcmYdKF=Aj~GB98;U@~A}1kqrw!6+CFfzc2c!6Cp30J@*U8UO$Q

literal 0
HcmV?d00001

diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt
new file mode 100644
index 0000000..135be79
--- /dev/null
+++ b/ext/gd/tests/bug73868.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): gd2: EOF while reading
+ in %s on line %d
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===
-- 
2.10.2.windows.1

 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC