Patch fix-73869 for GD related Bug #73869

Patch version 2017-01-05 17:00 UTC

Obsolete patches:

• 0004-Fix-354-Signed-Integer-Overflow-gd_io.c.patch, revision 2017-01-05 10:33 UTC

• 2017-01-05 17:00 UTC [diff to current]

Developer: cmb@php.net

From ae36fc28ce8c7a27dec4a85806f85d82f2e37213 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 17 Dec 2016 17:06:58 +0100
Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
---
 ext/gd/libgd/gd_gd2.c      |   4 ++++
 ext/gd/tests/bug73869.phpt |  19 +++++++++++++++++++
 ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes
 ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes
 4 files changed, 23 insertions(+)
 create mode 100644 ext/gd/tests/bug73869.phpt
 create mode 100644 ext/gd/tests/bug73869a.gd2
 create mode 100644 ext/gd/tests/bug73869b.gd2

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index d06f328..83eaaa3 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 	GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
 
 	if (gd2_compressed(*fmt)) {
+		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+			goto fail1;
+		}
 		nc = (*ncx) * (*ncy);
 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
 		if (overflow2(sizeof(t_chunk_info), nc)) {
diff --git a/ext/gd/tests/bug73869.phpt b/ext/gd/tests/bug73869.phpt
new file mode 100644
index 0000000..06160fb
--- /dev/null
+++ b/ext/gd/tests/bug73869.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73869 (Signed Integer Overflow gd_io.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2'));
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===
\ No newline at end of file
diff --git a/ext/gd/tests/bug73869a.gd2 b/ext/gd/tests/bug73869a.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..5060bfde3aad5687c0a962a8eddf86c0a83dded9
GIT binary patch
literal 92
zcmYdKF=Aj~Vn_kP1_qY@zyAMbU|^63Vq3=lKu|H~?Lk9EAotLMul{dSxfcMLM1ThA
IISver0HbRYrvLx|

literal 0
HcmV?d00001

diff --git a/ext/gd/tests/bug73869b.gd2 b/ext/gd/tests/bug73869b.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..8600126becb28c0962812c00fc6f2919b9f2ba80
GIT binary patch
literal 18
VcmYdKF=Aj~G5`XG1`y4_001560-^u_

literal 0
HcmV?d00001

-- 
2.10.2.windows.1