php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch 0004-Fix-354-Signed-Integer-Overflow-gd_io.c.patch for GD related Bug #73869Patch version 2017-01-05 10:33 UTC Return to Bug #73869 | Download this patchThis patch is obsolete Obsoleted by patches: Patch Revisions:Developer: ondrejFrom 4d18edb4a3cb150967648925896adcd666797eaf Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" <cmbecker69@gmx.de> Date: Sat, 17 Dec 2016 17:06:58 +0100 Subject: [PATCH 4/4] Fix #354: Signed Integer Overflow gd_io.c GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. We have to avoid that, and also make sure that either chunk count is actually greater than zero. If illegal chunk counts are detected, we bail out from reading the image. --- ext/gd/libgd/gd_gd2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index 4a752d3..f343db2 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in GD2_DBG(php_gd_error("%d Chunks vertically", *ncy)); if (gd2_compressed(*fmt)) { + if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { + GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); + goto fail1; + } nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); if (overflow2(sizeof(t_chunk_info), nc)) { -- 2.1.4 |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Thu Nov 21 17:01:32 2024 UTC |